[wp-hackers] Bug when post title contains > and "

[Elliotte Harold]

See 
http://www.elharo.com/blog/software-development/web-development/2007/03/17/a-strong-test-for-markup-in-titles-summaries/

In brief create a post with this string as the title:

A <strong style="color: green">Strong</strong> Test for Markup In Titles 
&amp; Summaries

Publish it and look at what WordPress puts out into the h1 header:

             <h1 class="single"><a 
href="http://www.elharo.com/blog/software-development/web-development/2007/03/17/a-strong-test-for-markup-in-titles-summaries/" 
rel="bookmark" title="Permanent Link: A <strong style="color: 
green">Strong</strong> Test for Markup In Titles &amp; Summaries">A 
<strong style="color: green">Strong</strong> Test for Markup In Titles 
&amp; Summaries</a></h1>

The the_title_rss() function behaves appropriately. The bad text is 
probably coming from the_title and single_post_title though I haven't 
verified that yet.

WordPress is stuffing the title text (including markup with < and > and 
") into a title attribute without sanitizing it first. I suspect I could 
reproduce this just by using the " and > characters in a title without 
explcitly putting tags into my title.

Possibly this is a theme bug, but if so I bet Kubrick has this bug since 
I don't think I ever changed that part of it. when building my own theme 
on top of it. Here's the relevant code from the theme:

<h2><a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent 
Link to <?php the_title(); ?>"><?php the_title(); ?></a></h2>

I'm not sure if the problem is in the the_title function or if the theme 
should be calling a different function like the_title_rss (which 
apparently strips markup)

This has so far only been tested in 2.0.7.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/