#22436 closed enhancement (invalid)
escape recent posts widget post titles
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Widgets | Keywords: | has-patch |
Focuses: | Cc: |
Description
The recent posts widget escapes the title attribute but does not escape element text. Add an esc_html wrapper to post title values to escape before output.
Example post title: Post about < stuff >
Attachments (1)
Change History (8)
#1
follow-up:
↓ 3
@
12 years ago
- Type changed from defect (bug) to enhancement
We certainly don't need to escape the ID. I'm wondering about the title, though. Non-HTML content like a loose ampersand or angle bracket should indeed be encoded, but that doesn't mean we should be encoding other HTML found in titles. I'd much rather see italics if that's what the user added, than raw "<em>" and "</em>". Strip tags could work but that doesn't really respect what the user was aiming for.
What we really need is a sane conversion of reserved characters (<>&"') used in post_title to their encoded equivalents, as long as they are not actually HTML. This should actually probably happen on save (it already does in part for ampersands, IIRC), outputted as-is for display, then be reversed for edit so the user is editing "<em>" and "5 < 6" just the same. Complicated, but no way around this.
In the end, this isn't really a bug.
#2
@
12 years ago
Just to expand on what Nacin said; this actually applies anywhere, not just in the widget you mentioned. Markup is allowed in post titles and it gets sanitized by KSES, meaning users without the unfiltered_html
capability are limited to tags such as <strong>
, <em>
and a few others.
#3
in reply to:
↑ 1
@
12 years ago
Replying to nacin:
What we really need is a sane conversion of reserved characters (<>&"') used in post_title to their encoded equivalents, as long as they are not actually HTML. This should actually probably happen on save (it already does in part for ampersands, IIRC), outputted as-is for display, then be reversed for edit so the user is editing "<em>" and "5 < 6" just the same.
Surely not. Characters should be escaped on display, not on save, otherwise we'll end up doing things like html_entity_decode()
when the title is used in attributes. See #11311.
#5
@
10 years ago
- Keywords close added
This looks like it can be closed. There isn't a bug to fix it seems.
esc_html title