& stored as & for Post Title and Excerpt in Editor

[kapilpaul]

Hi,

When an Author/other user(who have Create post permission) creates a post and add a post title as Hello & Welcome to WordPress after save the post the post title is stored as Hello & Welcome to WordPress in DB. As this is stored like this it is showing same in the editor. This is happening with Excerpt also.

NB: This is not happening with Admin user or if you are using Gutenberg Editor.

Reproduce Steps:

1. Disable your gutenberg editor and enable classic editor.
2. Logged in as an Author.
3. Switch to a non block based theme. (skip if your theme is not block based)
4. Go to Post > Add New
5. Add Post Title, Excerpt as Hello & Welcome to WordPress
6. Save Post
7. You will see Hello & Welcome to WordPress as title

[costdev]

Removing trunk as the Version as I also reproduced this in WordPress 4.8. This may have been occurring for longer though, I just haven't tested less than 4.8.

[kapilpaul]

There is a security concern while storing the title in DB.
So can we do one thing here, just decode the html entity while displaying in editor?
if that something make sense. so that we do not need work on the existing implementation.

[poena]

Hi
If this, as described, only happens in the classic editor, then the issue needs to be opened in the repository for the classic editor plugin, not WordPress core Trac.

​https://github.com/WordPress/classic-editor

[johnbillion]

@poena The Classic Editor plugin provides the ability to switch back to the classic editor. The functionality itself remains in WordPress core. Am I missing something?

[poena]

No, you are absolutely right, I don't know what I was thinking (maybe wishful thinking ;) )

[sukhendu2002]

Reproduction Report

Description

This report validates whether the issue can be reproduced.

Environment

• WordPress: 6.9-alpha-60093-src
• PHP: 8.2.28
• Server: nginx/1.29.0
• Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.28)
• Browser: Chrome 137.0.0.0
• OS: macOS
• Theme: Twenty Fourteen 4.2
• MU Plugins: None activated
• Plugins:
  • Test Reports 1.2.0

Steps to Reproduce

1. Disabled Gutenberg editor and ensured Classic Editor was active
2. Logged in as an Author user (not Admin)
3. Used a non-block based theme (Twenty Fourteen)
4. Created new post with title and excerpt containing ampersands: "Hello & Welcome to WordPress"
5. Saved the post
6. Examined the saved post

Actual Results

❌ Error condition does NOT occur.
Both the title and excerpt correctly display the ampersand character "&" rather than as "&".

Supplemental Artefacts

[sabernhardt]

title in the editor, before saving the post

[sabernhardt]

title shows & in the editor after saving the post

[sabernhardt]

The editor's title field had this after I saved a post as an Author-level user:
<input type="text" name="post_title" size="30" value="Hello &amp;amp; welcome after saving" id="title" spellcheck="true" autocomplete="off" />

The front end has & in the markup, which appears as & there.

[kapilpaul]

@sabernhardt Thanks for testing it. I believe the & is appearing on the API result as well.

[siliconforks]

I'm not sure this is really a bug though? The post title is supposed to be HTML code; this is so you can have titles like Welcome to <i>WordPress</i>. Given that, it makes sense that the ampersand would be stored in the database as an HTML entity (&).

[sabernhardt]

This seems related to #11311.