[wp-hackers] Bug when post title contains > and "

Elliotte Harold elharo at metalab.unc.edu
Sat Mar 17 18:45:58 GMT 2007


In brief create a post with this string as the title:

A <strong style="color: green">Strong</strong> Test for Markup In Titles 
&amp; Summaries

Publish it and look at what WordPress puts out into the h1 header:

             <h1 class="single"><a 
rel="bookmark" title="Permanent Link: A <strong style="color: 
green">Strong</strong> Test for Markup In Titles &amp; Summaries">A 
<strong style="color: green">Strong</strong> Test for Markup In Titles 
&amp; Summaries</a></h1>

The the_title_rss() function behaves appropriately. The bad text is 
probably coming from the_title and single_post_title though I haven't 
verified that yet.

WordPress is stuffing the title text (including markup with < and > and 
") into a title attribute without sanitizing it first. I suspect I could 
reproduce this just by using the " and > characters in a title without 
explcitly putting tags into my title.

Possibly this is a theme bug, but if so I bet Kubrick has this bug since 
I don't think I ever changed that part of it. when building my own theme 
on top of it. Here's the relevant code from the theme:

<h2><a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent 
Link to <?php the_title(); ?>"><?php the_title(); ?></a></h2>

I'm not sure if the problem is in the the_title function or if the theme 
should be calling a different function like the_title_rss (which 
apparently strips markup)

This has so far only been tested in 2.0.7.

Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!

More information about the wp-hackers mailing list