Make WordPress Core

Opened 17 years ago

Closed 17 years ago

#4731 closed defect (bug) (fixed)

Inline tags in title attribute for post permalinks not stripped

Reported by: tarmiziaffandi's profile tarmiziaffandi Owned by:
Milestone: 2.3 Priority: highest omg bbq
Severity: normal Version: 2.2.2
Component: Template Keywords: has-patch dev-reviewed commit
Focuses: Cc:


Defect in the default theme.


A WordPress (with the default theme active) user uses inline tags to format his post title: "My <em>example</em> post". But when he publishes the post, the resulting index page becomes XHTML invalid.


Here is an excerpt of the page source containing the mentioned invalid markup:

<h2><a href="" rel="bookmark" title="Permanent Link to My <em>example</em> post">My <em>example</em> post</a></h2>

Notice that the title attribute of the a element containing the permalink has inline HTML tags (<em> and </em> in this case), which comes from the post title, which are disallowed and considered invalid. The post title text itself is valid.


The markup comes from this code in the default theme source (index.php, line 10):

<h2><a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent Link to <?php the_title(); ?>"><?php the_title(); ?></a></h2>

The first the_title() WordPress tag outputs the raw post title, which may contains inline HTML tags, thus making the resulting markup invalid. These tags should be stripped.

Suggested solution

The suggested solution to this problem is to strip any HTML tags resulting from the output of the the_title() tag in HTML attribute values (so that My <em>example</em> post becomes My example post). Here is my modification of the above code:

<h2><a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent Link to <?php echo strip_tags(the_title('', '', false)); ?>"><?php the_title(); ?></a></h2>

The following files contain similar problems:

  • archive.php, line 36
  • attachment.php, line 14
  • search.php, line 18
  • single.php, line 13

Attachments (2)

4731.diff (4.6 KB) - added by Nazgul 17 years ago.
the_title_attribute.diff (5.1 KB) - added by ryan 17 years ago.

Download all attachments as: .zip

Change History (9)

#1 @Nazgul
17 years ago

  • Keywords needs-patch added
  • Milestone changed from 2.2.3 to 2.3 (trunk)

17 years ago

#2 @Nazgul
17 years ago

  • Keywords has-patch added; needs-patch removed

#3 @markjaquith
17 years ago

  • Priority changed from high to highest omg bbq

That's a lot of code... maybe we need the_title_attribute()

#4 @ryan
17 years ago

Indeed, and it should use get_post_field with attribute as the context. Also, sanitize_post_field should issue attribute_* filters so we can attach strip_tags to attribute_post_field.

We can do a less involved implementation for 2.3 that doesn't involve the filtering.

#5 @ryan
17 years ago

Patch adds the_title_attribute().

#6 @markjaquith
17 years ago

  • Keywords dev-reviewed commit added

Only a minor nitpick here: the output of strlen() can never be negative, so you only need to test == 0 not <= 0

Looks good, and works in testing.

#7 @ryan
17 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [6132]) the_title_attribute(). Props Nazgul. fixes #4731

Note: See TracTickets for help on using tickets.