Site Title not escaped when using HTML entities

[BandonRandon]

Today I tried to set my site title to <Brooke><Codes> and learned that the site title field escapes the < character. This is fine I thought, I'll use HTML entities. While this worked at first this also failed in the end. Is there a way to use the same escaping used on posts titles on site titles?

Here are a few screenshots to show the problem:

Title using HTML entities:

After saving the above:

After saving the above:

To me the real issue is that it fails silently. I know enough to know why it fails but to many of our users they may have a WTF reaction.

[BandonRandon]

I dung into this some more and learned that you are able to use valid HTML in the site title. For example if you decided to use <em>Site</em> <strong> Title</strong> the title will save and output correctly.

It looks like this problem is only occurring when using invalid HTML.

I have submitted a patch that switches from using wp_kses_post to htmlentities2 in formatting.php resolving this issue.

[Clorith]

Seems like a simple fix, should probably update the patch to space out the attribute to conform with the coding standards.

I did test a few versions back, and in 2.0 when sanitize_option was introduced this was not a problem, but in 2.9 it does happen, so somewhere along that road a regression occurred that was missed.

We should probably also have unit tests for sanitize_option when considering all the functions the various cases relies on.

[BandonRandon]

Add spacing around attribute

[BandonRandon]

Should probably update the patch to space out the attribute to conform with the coding standards.

Added in 27942.2.patch

[lancewillett]

This could be a duplicate of #24328.

[SergeyBiryukov]

#24328 was marked as a duplicate.

[pauldewouters]

unit tests for sanitize_option

[pauldewouters]

I added some tests for 'blogname', is this a good start?

[BandonRandon]

Patch With Unit Test

[BandonRandon]

Updated patch against trunk and added unit test.

[markjaquith]

Seems to work. Unit tests pass. Much better user experience.

[kovshenin]

Added unit tests for blogdescription too. Also looked into some history, goes all the way back to r5541 and looks like it's good to go.

[kovshenin]

In 35788:

Allow usage of angle brackets in a site title or tagline.

The whole string is escaped with esc_html() anyway, so we don't
need to wp_kses_post(). This is a better experience for users who
want to use angle brackets in their site title or description.
Does not allow any HTML, adds unit tests.

props BandonRandon, pauldewouters.
fixes #27942.