[wp-hackers] Bug when post title contains > and "

Matt speedboxer at gmail.com
Sat Mar 17 19:14:13 GMT 2007

Also, in 2.1.2, if I put in <span style="color: #0099FF;">This is a
"Test"</span>, I get this:

<h2><a href="***************/this-is-a-test/" rel="bookmark"
title="Permanent Link to <span style="color: #0099FF;">This is a
&#8220;Test&#8221;</span>"><span style="color: #0099FF;">This is a

(I added the asterisks, since I'll be deleting the post) But, and even
weirder thing is, for the title, I see:
This is a "Test"">This is a "Test"

Which is probably caused by the Browser (tested in IE7 and FF2) seeing ">
before the actual end of the link.

So, what goes into the title definitely needs to be sanitized. Wait, didn't
I see something about this, and that it's fixed in 2.1.3?


On 3/17/07, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> See
> In brief create a post with this string as the title:
> A <strong style="color: green">Strong</strong> Test for Markup In Titles
> &amp; Summaries
> Publish it and look at what WordPress puts out into the h1 header:
>             <h1 class="single"><a
> href="
> rel="bookmark" title="Permanent Link: A <strong style="color:
> green">Strong</strong> Test for Markup In Titles &amp; Summaries">A
> <strong style="color: green">Strong</strong> Test for Markup In Titles
> &amp; Summaries</a></h1>
> The the_title_rss() function behaves appropriately. The bad text is
> probably coming from the_title and single_post_title though I haven't
> verified that yet.
> WordPress is stuffing the title text (including markup with < and > and
> ") into a title attribute without sanitizing it first. I suspect I could
> reproduce this just by using the " and > characters in a title without
> explcitly putting tags into my title.
> Possibly this is a theme bug, but if so I bet Kubrick has this bug since
> I don't think I ever changed that part of it. when building my own theme
> on top of it. Here's the relevant code from the theme:
> <h2><a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent
> Link to <?php the_title(); ?>"><?php the_title(); ?></a></h2>
> I'm not sure if the problem is in the the_title function or if the theme
> should be calling a different function like the_title_rss (which
> apparently strips markup)
> This has so far only been tested in 2.0.7.
> --
> Elliotte Rusty Harold  elharo at metalab.unc.edu
> Java I/O 2nd Edition Just Published!
> http://www.cafeaulait.org/books/javaio2/
> http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

Matt (speedboxer at gmail.com)

More information about the wp-hackers mailing list