Make WordPress Core

Opened 5 months ago

Last modified 5 months ago

#57470 new defect (bug)

Copy and pasting from a document into the title field is including hidden html tags

Reported by: mikeyott's profile mikeyott Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Editor Keywords: close
Focuses: ui, administration Cc:

Description

As the title describes, if you copy and paste from a (Word) document and into the title field of a new or existing post, hidden html tags come along for the ride.

How to replicate

  • Open a Word document that contains text with formatting. For example, italic text.
  • Highlight and copy the italicised text to the clipboard.
  • Create a new page.
  • Paste into the title field.
  • Click Publish.

You will now see the confirmation dialogue read something like this...

<em>The page title here</em> is now live.

...yes, with the actual html tags visible.

When you view the All Pages screen, you will also see the title has the <em> opening and closing tags as well. The only way to remove them is to click Quick Edit and do it manually.

I'm not sure if this has any security implications (maybe someone with that expertise can chime in here) but I do wonder how it would behave if someone was copy/pasting content from a website if the content contained a (malicious) <script> tag.

Note: I was able to replicate this issue with all plugins disabled, running the latest version of Twenty Twenty-Three theme and latest version of WordPress 6.1.1 (latest at time of this bug report).

Attachments (2)

sample text.png (3.8 KB) - added by mikeyott 5 months ago.
posts.png (4.6 KB) - added by mikeyott 5 months ago.

Download all attachments as: .zip

Change History (7)

@mikeyott
5 months ago

@mikeyott
5 months ago

#1 @audrasjb
5 months ago

  • Component changed from General to Editor
  • Version 6.1.1 deleted

Hello and thank you for opening this ticket,

I think it is an intended behavior: some (inline) HTML tags are allowed in the post title so they are not stripped.

But all HTML tags are not allowed. <script>, for exemple, is of course automatically stripped :)

#2 @audrasjb
5 months ago

Related: Ticket #57265 suggests to strip tags from the Post list table screen.

#3 @danielbachhuber
5 months ago

Thanks for the report, @mikeyott !

@audrasjb I think this was fixed in Gutenberg 14.6? https://github.com/WordPress/gutenberg/pull/35825

It doesn't look like 14.6 has been included in a release yet: https://developer.wordpress.org/block-editor/contributors/versions-in-wordpress/

#4 @audrasjb
5 months ago

  • Keywords close added; needs-patch removed

Oh great, thanks for the info @danielbachhuber!
This is indeed already scheduled for 6.2, which is perfect.

We can close this ticket as reported-upstream when this change gets merged into core.
Thanks everyone 🙌

#5 @mikeyott
5 months ago

Awse - thanks for the update. I'll consider this matter closed.

Note: See TracTickets for help on using tickets.