[wp-trac] [WordPress Trac] #22436: escape recent posts widget post titles
WordPress Trac
noreply at wordpress.org
Wed Nov 14 03:44:09 UTC 2012
#22436: escape recent posts widget post titles
--------------------------+------------------------------
Reporter: niallkennedy | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Widgets | Version:
Severity: normal | Resolution:
Keywords: has-patch |
--------------------------+------------------------------
Comment (by johnbillion):
Replying to [comment:1 nacin]:
> What we really need is a sane conversion of reserved characters (<>&"')
used in post_title to their encoded equivalents, as long as they are not
actually HTML. This should actually probably happen on save (it already
does in part for ampersands, IIRC), outputted as-is for display, then be
reversed for edit so the user is editing "<em>" and "5 < 6" just the same.
Surely not. Characters should be escaped on display, not on save,
otherwise we'll end up doing things like `html_entity_decode()` when the
title is used in attributes. See #11311.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/22436#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list