Make WordPress Core

Opened 9 years ago

Closed 8 years ago

#3991 closed defect (bug) (duplicate)

Default theme allows markup in titles

Reported by: elharo Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.1.2
Component: Security Keywords: has-patch
Focuses: Cc:


Tags are allowed in the title of a Wordpress post. They are returned by the_title() function. They must not be used in attribute values, but in the default theme they are. For example, create a post with this title:

<strong style="color: green">Strong</strong> Test for Markup In Titles & Summaries

Publish it with the default theme. Look at the post. You'll see the bug. This occurs in both index.php and single.php. The headers end up like this:

<h1 class="single"><a href="http://www.elharo.com/blog/software-development/web-development/2007/03/17/a-strong-test-for-markup-in-titles-summaries/" rel="bookmark" title="Permanent Link: A <strong style="color: green">Strong</strong> Test for Markup In Titles &amp; Summaries">A <strong style="color: green">Strong</strong> Test for Markup In Titles &amp; Summaries</a></h1>

Notice how a tag has snuck into the title attribute. This is invalid HTML, and browsers deal with it inconsistently, but in none of them is this good. The fix is to change

Permanent Link to <?php the_title(); ?>


Permanent Link to <?php the_title()_rss; ?>.

You need to do this in at least three files, archive, single.php, and index.php.

Attachments (1)

d.patch (713 bytes) - added by mikewp 9 years ago.

Download all attachments as: .zip

Change History (7)

@mikewp9 years ago

comment:1 @mikewp9 years ago

  • Component changed from Template to Security

Markup shouldn't be allowed in the title. The styling can be done via CSS.

I've attached a patch. It adds a htmlentities filter for the title before wptexturize

comment:2 @mikewp9 years ago

The patch is for default-filters.php . Sorry, it's my first patch submit.

comment:3 @mikewp9 years ago

  • Keywords has-patch added

comment:4 @foolswisdom9 years ago

  • Milestone changed from 2.1.3 to 2.2

comment:5 @rob1n9 years ago

  • Milestone changed from 2.2 to 2.3

comment:6 @Nazgul8 years ago

  • Milestone 2.3 deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #4731

Note: See TracTickets for help on using tickets.