Make WordPress Core

Opened 16 years ago

Closed 12 years ago

Last modified 9 years ago

#4789 closed enhancement (wontfix)

Write Post title doesn't escape HTML tags

Reported by: hje1555's profile hje1555 Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.3.2
Component: Administration Keywords: dev-feedback
Focuses: Cc:


I was writing a new post and I used the title "Curse of the <p>". When saving the post, it appears under Your Drafts but the <p> has not been escaped, so the browser renders a line break.

Change History (17)

#1 follow-up: @santosj
16 years ago


"Curse of the &lt;p&gt;"

Perhaps a setting, where it allows you to place HTML in the title if you want and escape it if you don't.

#2 in reply to: ↑ 1 @JeremyVisser
16 years ago

Replying to santosj:

Perhaps a setting, where it allows you to place HTML in the title if you want and escape it if you don't.

Noooo! We don't need Yet Another (tm) setting, for such a niche thing. Do The Right Thing (tm) in the first place, and we don't need it to be changed.

#3 @markjaquith
16 years ago

I don't think HTML belongs in titles, but there is a small-but-vocal contingent who thinks it does.

If we do entitize it, we should do it in a way that allows a plugin to circumvent it.

#4 @hje1555
16 years ago

This kind of input should be sanitized. The exception is the Code view, where it is clear that a restricted set of XHTML is allowed.

#5 @hje1555
16 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

#6 @Nazgul
16 years ago

  • Milestone 2.4 deleted

#7 follow-up: @Viper007Bond
16 years ago

It's a toughy. Personally, I like being able to <del> and <em> stuff in my titles.

#8 in reply to: ↑ 7 @Viper007Bond
16 years ago

Replying to Viper007Bond:

It's a toughy. Personally, I like being able to <del> and <em> stuff in my titles.

Although for the average user, I think they'd expect that those items would display as typed.

So, a solution:

On output (anywhere and everywhere), filter the title and do a htmlspecialchars() on it rendering HTML invalid. For us wishing to still post HTML in titles, we could just remove the filter.

#9 @DavidSzp
15 years ago

  • Component changed from General to Administration
  • Milestone set to 2.4
  • Resolution duplicate deleted
  • Status changed from closed to reopened
  • Version set to 2.3.2

I wrote a post with the title "</2007>" for New Years Eve today. Instead, my post title turns up blank in the web browser. This is not expected behavior! It is not clear that HTML is acceptable and must be escaped in the title anywhere in the interface. I had to edit the post title to "&lt;/2007&gt;" manually, which fixed it, but I shouldn't have had to do that.

Additionally, with the original title I specified above, the auto-generated post-slug was "176" which was the post ID of the post, not "2007" which is the expected, sanitized slug (I changed it to "closing-2007" manually, but it was still incorrect).

I do agree that allowing a plugin to override this behavior if people want to use HTML in their titles is a good idea.

I am re-opening this ticket as although it is marked duplicate, I can't find where the duplicate ticket is! I searched.

#10 @westi
15 years ago

  • Keywords needs-patch added
  • Milestone changed from 2.5 to 2.6

Moving to 2.6

Not a simple change and needs a patch.

#11 @Viper007Bond
14 years ago

  • Type changed from defect (bug) to enhancement

Intended behavior currently, so it's not a bug.

#12 @Denis-de-Bernardy
14 years ago

  • Keywords dup added
  • Milestone changed from 2.9 to Future Release

Moreover, it's still a dup... Can't recall where it is, but I'm pretty certain it's in there...

#13 @Denis-de-Bernardy
14 years ago

  • Keywords dup removed

#14 @solarissmoke
12 years ago

  • Keywords dev-feedback added; needs-patch removed

Any thoughts from senior devs on whether this is worth keeping open? Suggestions above are basically:

  • Add an esc_html filter to the title, which advanced users can remove (I can see serious back-compat issues here)
  • Add a setting to determine behaviour
  • Do nothing, it's intended behaviour

#15 @nacin
12 years ago

  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from reopened to closed

This has been called intended behavior for quite a while. Closing due to lack of traction.

#17 @SergeyBiryukov
9 years ago

#14361 was marked as a duplicate.

Note: See TracTickets for help on using tickets.