WordPress.org

Make WordPress Core

Opened 12 years ago

Closed 9 years ago

Last modified 6 years ago

#4789 closed enhancement (wontfix)

Write Post title doesn't escape HTML tags

Reported by: hje1555 Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.3.2
Component: Administration Keywords: dev-feedback
Focuses: Cc:
PR Number:

Description

I was writing a new post and I used the title "Curse of the <p>". When saving the post, it appears under Your Drafts but the <p> has not been escaped, so the browser renders a line break.

Change History (17)

#1 follow-up: @santosj
12 years ago

Fix

"Curse of the &lt;p&gt;"

Perhaps a setting, where it allows you to place HTML in the title if you want and escape it if you don't.

#2 in reply to: ↑ 1 @JeremyVisser
12 years ago

Replying to santosj:

Perhaps a setting, where it allows you to place HTML in the title if you want and escape it if you don't.

Noooo! We don't need Yet Another (tm) setting, for such a niche thing. Do The Right Thing (tm) in the first place, and we don't need it to be changed.

#3 @markjaquith
12 years ago

I don't think HTML belongs in titles, but there is a small-but-vocal contingent who thinks it does.

If we do entitize it, we should do it in a way that allows a plugin to circumvent it.

#4 @hje1555
12 years ago

This kind of input should be sanitized. The exception is the Code view, where it is clear that a restricted set of XHTML is allowed.

#5 @hje1555
12 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

#6 @Nazgul
12 years ago

  • Milestone 2.4 deleted

#7 follow-up: @Viper007Bond
12 years ago

It's a toughy. Personally, I like being able to <del> and <em> stuff in my titles.

#8 in reply to: ↑ 7 @Viper007Bond
12 years ago

Replying to Viper007Bond:

It's a toughy. Personally, I like being able to <del> and <em> stuff in my titles.

Although for the average user, I think they'd expect that those items would display as typed.

So, a solution:

On output (anywhere and everywhere), filter the title and do a htmlspecialchars() on it rendering HTML invalid. For us wishing to still post HTML in titles, we could just remove the filter.

#9 @DavidSzp
12 years ago

  • Component changed from General to Administration
  • Milestone set to 2.4
  • Resolution duplicate deleted
  • Status changed from closed to reopened
  • Version set to 2.3.2

I wrote a post with the title "</2007>" for New Years Eve today. Instead, my post title turns up blank in the web browser. This is not expected behavior! It is not clear that HTML is acceptable and must be escaped in the title anywhere in the interface. I had to edit the post title to "&lt;/2007&gt;" manually, which fixed it, but I shouldn't have had to do that.

Additionally, with the original title I specified above, the auto-generated post-slug was "176" which was the post ID of the post, not "2007" which is the expected, sanitized slug (I changed it to "closing-2007" manually, but it was still incorrect).

I do agree that allowing a plugin to override this behavior if people want to use HTML in their titles is a good idea.

I am re-opening this ticket as although it is marked duplicate, I can't find where the duplicate ticket is! I searched.

#10 @westi
12 years ago

  • Keywords needs-patch added
  • Milestone changed from 2.5 to 2.6

Moving to 2.6

Not a simple change and needs a patch.

#11 @Viper007Bond
11 years ago

  • Type changed from defect (bug) to enhancement

Intended behavior currently, so it's not a bug.

#12 @Denis-de-Bernardy
10 years ago

  • Keywords dup added
  • Milestone changed from 2.9 to Future Release

Moreover, it's still a dup... Can't recall where it is, but I'm pretty certain it's in there...

#13 @Denis-de-Bernardy
10 years ago

  • Keywords dup removed

#14 @solarissmoke
9 years ago

  • Keywords dev-feedback added; needs-patch removed

Any thoughts from senior devs on whether this is worth keeping open? Suggestions above are basically:

  • Add an esc_html filter to the title, which advanced users can remove (I can see serious back-compat issues here)
  • Add a setting to determine behaviour
  • Do nothing, it's intended behaviour

#15 @nacin
9 years ago

  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from reopened to closed

This has been called intended behavior for quite a while. Closing due to lack of traction.

#17 @SergeyBiryukov
6 years ago

#14361 was marked as a duplicate.

Note: See TracTickets for help on using tickets.