WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 4 years ago

Last modified 4 years ago

#22436 closed enhancement (invalid)

escape recent posts widget post titles

Reported by: niallkennedy Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Widgets Keywords: has-patch
Focuses: Cc:

Description

The recent posts widget escapes the title attribute but does not escape element text. Add an esc_html wrapper to post title values to escape before output.

Example post title: Post about < stuff >

Attachments (1)

default-widgets.diff (837 bytes) - added by niallkennedy 7 years ago.
esc_html title

Download all attachments as: .zip

Change History (8)

@niallkennedy
7 years ago

esc_html title

#1 follow-up: @nacin
7 years ago

  • Type changed from defect (bug) to enhancement

We certainly don't need to escape the ID. I'm wondering about the title, though. Non-HTML content like a loose ampersand or angle bracket should indeed be encoded, but that doesn't mean we should be encoding other HTML found in titles. I'd much rather see italics if that's what the user added, than raw "<em>" and "</em>". Strip tags could work but that doesn't really respect what the user was aiming for.

What we really need is a sane conversion of reserved characters (<>&"') used in post_title to their encoded equivalents, as long as they are not actually HTML. This should actually probably happen on save (it already does in part for ampersands, IIRC), outputted as-is for display, then be reversed for edit so the user is editing "<em>" and "5 < 6" just the same. Complicated, but no way around this.

In the end, this isn't really a bug.

#2 @johnbillion
7 years ago

Just to expand on what Nacin said; this actually applies anywhere, not just in the widget you mentioned. Markup is allowed in post titles and it gets sanitized by KSES, meaning users without the unfiltered_html capability are limited to tags such as <strong>, <em> and a few others.

#3 in reply to: ↑ 1 @johnbillion
7 years ago

Replying to nacin:

What we really need is a sane conversion of reserved characters (<>&"') used in post_title to their encoded equivalents, as long as they are not actually HTML. This should actually probably happen on save (it already does in part for ampersands, IIRC), outputted as-is for display, then be reversed for edit so the user is editing "<em>" and "5 < 6" just the same.

Surely not. Characters should be escaped on display, not on save, otherwise we'll end up doing things like html_entity_decode() when the title is used in attributes. See #11311.

#5 @chriscct7
4 years ago

  • Keywords close added

This looks like it can be closed. There isn't a bug to fix it seems.

#6 @johnbillion
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

#7 @chriscct7
4 years ago

  • Keywords close removed
Note: See TracTickets for help on using tickets.