[wp-hackers] Bug when post title contains > and "
speedboxer at gmail.com
Sat Mar 17 19:14:13 GMT 2007
Also, in 2.1.2, if I put in <span style="color: #0099FF;">This is a
"Test"</span>, I get this:
<h2><a href="***************/this-is-a-test/" rel="bookmark"
title="Permanent Link to <span style="color: #0099FF;">This is a
“Test”</span>"><span style="color: #0099FF;">This is a
(I added the asterisks, since I'll be deleting the post) But, and even
weirder thing is, for the title, I see:
This is a "Test"">This is a "Test"
Which is probably caused by the Browser (tested in IE7 and FF2) seeing ">
before the actual end of the link.
So, what goes into the title definitely needs to be sanitized. Wait, didn't
I see something about this, and that it's fixed in 2.1.3?
On 3/17/07, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> In brief create a post with this string as the title:
> A <strong style="color: green">Strong</strong> Test for Markup In Titles
> & Summaries
> Publish it and look at what WordPress puts out into the h1 header:
> <h1 class="single"><a
> rel="bookmark" title="Permanent Link: A <strong style="color:
> green">Strong</strong> Test for Markup In Titles & Summaries">A
> <strong style="color: green">Strong</strong> Test for Markup In Titles
> & Summaries</a></h1>
> The the_title_rss() function behaves appropriately. The bad text is
> probably coming from the_title and single_post_title though I haven't
> verified that yet.
> WordPress is stuffing the title text (including markup with < and > and
> ") into a title attribute without sanitizing it first. I suspect I could
> reproduce this just by using the " and > characters in a title without
> explcitly putting tags into my title.
> Possibly this is a theme bug, but if so I bet Kubrick has this bug since
> I don't think I ever changed that part of it. when building my own theme
> on top of it. Here's the relevant code from the theme:
> <h2><a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent
> Link to <?php the_title(); ?>"><?php the_title(); ?></a></h2>
> I'm not sure if the problem is in the the_title function or if the theme
> should be calling a different function like the_title_rss (which
> apparently strips markup)
> This has so far only been tested in 2.0.7.
> Elliotte Rusty Harold elharo at metalab.unc.edu
> Java I/O 2nd Edition Just Published!
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
Matt (speedboxer at gmail.com)
More information about the wp-hackers