Make WordPress Core

Opened 15 months ago

Closed 9 months ago

#57470 closed defect (bug) (reported-upstream)

Copy and pasting from a document into the title field is including hidden html tags

Reported by: mikeyott's profile mikeyott Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Editor Keywords:
Focuses: ui, administration Cc:


As the title describes, if you copy and paste from a (Word) document and into the title field of a new or existing post, hidden html tags come along for the ride.

How to replicate

  • Open a Word document that contains text with formatting. For example, italic text.
  • Highlight and copy the italicised text to the clipboard.
  • Create a new page.
  • Paste into the title field.
  • Click Publish.

You will now see the confirmation dialogue read something like this...

<em>The page title here</em> is now live.

...yes, with the actual html tags visible.

When you view the All Pages screen, you will also see the title has the <em> opening and closing tags as well. The only way to remove them is to click Quick Edit and do it manually.

I'm not sure if this has any security implications (maybe someone with that expertise can chime in here) but I do wonder how it would behave if someone was copy/pasting content from a website if the content contained a (malicious) <script> tag.

Note: I was able to replicate this issue with all plugins disabled, running the latest version of Twenty Twenty-Three theme and latest version of WordPress 6.1.1 (latest at time of this bug report).

Attachments (2)

sample text.png (3.8 KB) - added by mikeyott 15 months ago.
posts.png (4.6 KB) - added by mikeyott 15 months ago.

Download all attachments as: .zip

Change History (8)

15 months ago

#1 @audrasjb
15 months ago

  • Component changed from General to Editor
  • Version 6.1.1 deleted

Hello and thank you for opening this ticket,

I think it is an intended behavior: some (inline) HTML tags are allowed in the post title so they are not stripped.

But all HTML tags are not allowed. <script>, for exemple, is of course automatically stripped :)

#2 @audrasjb
15 months ago

Related: Ticket #57265 suggests to strip tags from the Post list table screen.

#3 @danielbachhuber
15 months ago

Thanks for the report, @mikeyott !

@audrasjb I think this was fixed in Gutenberg 14.6?

It doesn't look like 14.6 has been included in a release yet:

#4 @audrasjb
15 months ago

  • Keywords close added; needs-patch removed

Oh great, thanks for the info @danielbachhuber!
This is indeed already scheduled for 6.2, which is perfect.

We can close this ticket as reported-upstream when this change gets merged into core.
Thanks everyone 🙌

#5 @mikeyott
15 months ago

Awse - thanks for the update. I'll consider this matter closed.

#6 @ironprogrammer
9 months ago

  • Keywords close removed
  • Milestone Awaiting Review deleted
  • Resolution set to reported-upstream
  • Status changed from new to closed

Following up on comment:4, closing this ticket as reported-upstream since 6.2 has already shipped a fix.

Note: See TracTickets for help on using tickets.