Drop strip_tags() for widget titles in forms

[greenshady]

I was putting together a quick plugin to allow some basic HTML in widget titles. I hit a snag when I realized that core handles the output of the title field inconsistently in widget forms.

Basically, a few widgets run the title field through strip_tags() before outputting the <input> field. All we really need is esc_attr() in this case.

Uses strip_tags() + esc_attr()

• Archives
• Meta
• Calendar
• Text

Uses esc_attr() only

• Pages
• Search
• Categories
• Recent Posts
• Recent Comments
• Tag Cloud
• Nav Menu

I'm adding a patch so that these are treated consistently and simply escaped with esc_attr(). If we want to keep the strip_tags(), it should be done the same across the board.

Plugin for testing: ​https://github.com/justintadlock/widget-title-html

[welcher]

Related #23012.

[westonruter]

I think strip_tags() is perhaps a legacy option where a newer more appropriate sanitizing function sanitize_text_field() is available now which strips tags in addition to doing a lot more, like trimming whitespace and ensuring valid encoding. In any case, we shouldn't be using esc_attr() for sanitizing input anyway.

[greenshady]

Replying to westonruter:

I think strip_tags() is perhaps a legacy option where a newer more appropriate sanitizing function sanitize_text_field() is available now which strips tags in addition to doing a lot more, like trimming whitespace and ensuring valid encoding. In any case, we shouldn't be using esc_attr() for sanitizing input anyway.

This is not about sanitizing input. It's about escaping output.

[westonruter]

Ah, right. I missed that your patch was for the form callback, and not the update callback.

[welcher]

I think this was addressed with 33814.

[greenshady]

Replying to welcher:

I think this was addressed with 33814.

Yes, it was.

[DrewAPicture]

See [33814].