WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#4731 closed defect (bug) (fixed)

Inline tags in title attribute for post permalinks not stripped

Reported by: tarmiziaffandi Owned by:
Milestone: 2.3 Priority: highest omg bbq
Severity: normal Version: 2.2.2
Component: Template Keywords: has-patch dev-reviewed commit
Focuses: Cc:

Description

Defect in the default theme.

Scenario

A WordPress (with the default theme active) user uses inline tags to format his post title: "My <em>example</em> post". But when he publishes the post, the resulting index page becomes XHTML invalid.

Defect

Here is an excerpt of the page source containing the mentioned invalid markup:

<h2><a href="http://www.example.com/posts/my-example-post/" rel="bookmark" title="Permanent Link to My <em>example</em> post">My <em>example</em> post</a></h2>

Notice that the title attribute of the a element containing the permalink has inline HTML tags (<em> and </em> in this case), which comes from the post title, which are disallowed and considered invalid. The post title text itself is valid.

Cause

The markup comes from this code in the default theme source (index.php, line 10):

<h2><a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent Link to <?php the_title(); ?>"><?php the_title(); ?></a></h2>

The first the_title() WordPress tag outputs the raw post title, which may contains inline HTML tags, thus making the resulting markup invalid. These tags should be stripped.

Suggested solution

The suggested solution to this problem is to strip any HTML tags resulting from the output of the the_title() tag in HTML attribute values (so that My <em>example</em> post becomes My example post). Here is my modification of the above code:

<h2><a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent Link to <?php echo strip_tags(the_title('', '', false)); ?>"><?php the_title(); ?></a></h2>

The following files contain similar problems:

  • archive.php, line 36
  • attachment.php, line 14
  • search.php, line 18
  • single.php, line 13

Attachments (2)

4731.diff (4.6 KB) - added by Nazgul 7 years ago.
the_title_attribute.diff (5.1 KB) - added by ryan 7 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Nazgul7 years ago

  • Keywords needs-patch added
  • Milestone changed from 2.2.3 to 2.3 (trunk)

Nazgul7 years ago

comment:2 Nazgul7 years ago

  • Keywords has-patch added; needs-patch removed

comment:3 markjaquith7 years ago

  • Priority changed from high to highest omg bbq

That's a lot of code... maybe we need the_title_attribute()

comment:4 ryan7 years ago

Indeed, and it should use get_post_field with attribute as the context. Also, sanitize_post_field should issue attribute_* filters so we can attach strip_tags to attribute_post_field.

We can do a less involved implementation for 2.3 that doesn't involve the filtering.

ryan7 years ago

comment:5 ryan7 years ago

Patch adds the_title_attribute().

comment:6 markjaquith7 years ago

  • Keywords dev-reviewed commit added

Only a minor nitpick here: the output of strlen() can never be negative, so you only need to test == 0 not <= 0

Looks good, and works in testing.

comment:7 ryan7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [6132]) the_title_attribute(). Props Nazgul. fixes #4731

Note: See TracTickets for help on using tickets.