Make WordPress Core

#24083 closed enhancement (fixed)

the_author_posts_link() not properly escaping HTML output

Reported by: bradkovach Owned by:
Milestone: 3.6 Priority: normal
Severity: normal Version: 3.5.1
Component: Template Keywords:
Focuses: Cc:


I was running an HTML5 validator on one of the sites I manage and noticed that the_author_posts_link is not properly escaped.

For example,

<a href="http://www.chud.com/author/William Thomas-Berk/" title="Posts by William Thomas Berk" rel="author">William Thomas Berk</a>

Notice that the URI has a space in it that should be encoded as %20 before being output. As a result, there are a lot of HTML validation errors being shown as a result.

Change History (3)

comment:1 ocean9012 months ago

  • Component changed from General to Template
  • Milestone changed from Awaiting Review to 3.6
  • Severity changed from minor to normal
  • Type changed from defect (bug) to enhancement

Fixed in [23528].

comment:2 SergeyBiryukov12 months ago

Note that user_nicename field (which the function uses to construct the URL) is supposed to be a sanitized (URL-friendly) version of user_login. It should not contain spaces.

comment:3 aaroncampbell11 months ago

  • Resolution set to fixed
  • Status changed from new to closed

I agree that user_nicename is expected to be URL friendly. Now that we run the URL through usc_url(), I think we should consider this fixed.

Note: See TracTickets for help on using tickets.