Make WordPress Core

Opened 12 years ago

Closed 11 years ago

#2638 closed defect (bug) (invalid)

Title output in wp_list_pages() may render $title_li with backslashes (no use of stripslashes())

Reported by: lordjiem Owned by:
Milestone: Priority: normal
Severity: trivial Version: 2.0.2
Component: Template Keywords: wp_list_pages stripslashes
Focuses: Cc:


When trying the new Widgets plugin, I noticed that if I use the page list widget, its xhtml output is badly formed:

<h2 class=\"widgettitle\">Pages</h2>

instead of

<h2 class="widgettitle">Pages</h2>

and that in spite of the fact that the call to wp_list_pages() is made with well formated input in the function widget_pages().

So it seems that the $title_li is not cleaned before output in the wp_list_pages() function.

Currently it is :

if ( $r['title_li'] )
	$output .= '<li class="pagenav">' . $r['title_li'] . '<ul>';

when it should be, from my point of view:

if ( $r['title_li'] )
	$output .= '<li class="pagenav">' .  stripslashes($r['title_li']) . '<ul>';

to make it render correctly in xhtml.

Change History (1)

#1 @jhodgdon
11 years ago

  • Resolution set to invalid
  • Status changed from new to closed

As it stands, the wp_list_pages function fragment above is simply printing out its input argument called "title_li" directly. I don't think wp_list_pages needs to be required to strip slashes out of its input arguments, and since other plugins might provide input that shouldn't be stripped of slashes, it could be dangerous to do so.

So it seems to me that the problem is that the Page List Widget is providing badly-formed input to the function, not that the function needs to strip slashes. Since you can put the argument list in single quotes, there is no reason that the widget can't include un-escaped double quotes. The bug is in the Widget, and should be taken up with the Widget authors.

I'll close this...

Note: See TracTickets for help on using tickets.