Make WordPress Core

Opened 6 years ago

Closed 22 months ago

Last modified 22 months ago

#44916 closed defect (bug) (wontfix)

Add escape in walker nav menu title

Reported by: anonymized_13528887's profile anonymized_13528887 Owned by: welcher's profile welcher
Milestone: Priority: normal
Severity: normal Version:
Component: Menus Keywords: has-patch needs-unit-tests close
Focuses: Cc:

Description

Escape walker nav menu title after applying filter

Attachments (2)

44916.diff (647 bytes) - added by anonymized_13528887 6 years ago.
44916.2.diff (573 bytes) - added by welcher 6 years ago.
Adds late escaping

Download all attachments as: .zip

Change History (9)

#1 @mukesh27
6 years ago

  • Keywords 2nd-opinion added
  • Summary changed from Escape walker nav menu title to Add escape in walker nav menu title

Hi @harshall, welcome to WordPress Trac! Thanks for the ticket.

i have check other instance of menu title but escape is not added in menu title.

#2 @Hareesh Pillai
6 years ago

This is a good check to add, as the filter response may return invalid output.

@welcher
6 years ago

Adds late escaping

#3 @welcher
6 years ago

  • Keywords needs-unit-tests added; 2nd-opinion removed
  • Owner set to welcher
  • Status changed from new to assigned

@harshall I've updated the patch against latest trunk and modified it to use late escaping as well.

It can probably do with some unit tests.

#4 @welcher
6 years ago

  • Milestone changed from Awaiting Review to 5.2.2

#5 @SergeyBiryukov
6 years ago

  • Keywords close added
  • Milestone changed from 5.2.2 to Awaiting Review

Historically, HTML is allowed in titles, see discussions in #4789, #14361, #22436.

Markup is allowed in post titles and it gets sanitized by KSES, meaning users without the unfiltered_html capability are limited to tags such as <strong>, <em>, and a few others.

If we do decide to reconsider this, there are multiple places where titles are not escaped, but at least Walker_Page should be updated for consistency.

#6 @hellofromTonya
22 months ago

I agree with @SergeyBiryukov that historically HTML is allowed in titles.

Fast forward 4 years, @welcher do you see a use case where the nav menu walker should not allow HTML with its title?

#7 @welcher
22 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from assigned to closed

I don't see one, no. I'll mark as closed. Thanks for the follow up here.

Last edited 22 months ago by welcher (previous) (diff)
Note: See TracTickets for help on using tickets.