[wp-hackers] Another bug as a result of markup in titles

Alex Günsche ag.ml2007 at zirona.com
Sun Mar 18 14:59:56 GMT 2007

On Sun, 2007-03-18 at 07:46 -0700, Jennifer Hodgdon wrote:
> Just a note... If someone proposes a fix for these bugs regarding 
> markup in titles, please do not decide to fix it by stripping any HTML 
> tags from titles before they are saved to the database. Some plugins 
> use fake markup tags in titles and other text for filter indications. 
> So the tags need to be saved along with the other title text, and are 
> then filtered back out by the plugin before echoing into either the 
> admin page or in the public page's HTML.

I agree that some tags should be allowed in titles, such as em, acronym,
strong. Maybe KSES can be used for it. In any case, I think it is better
to allow a predefined set of tags and strip anything else, rather than
defining a set of tags to strip and preserve all other.

As for the fake tags of some plugins: It is unfortunate that these
plugins work this way; they should rather use something like square
brackets. Using pseudo-HTML for backend operations is almost always a
bad idea; if you do this anyway, you would need to mark it as CDATA and
be absolutely sure that it will not cause problems with interacting
functionalities. This is quite impossible with a post's title in


Alex Günsche, Zirona OpenSource-Consulting
work: http://www.zirona.com/ | leisure: http://www.roggenrohl.net
PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc

More information about the wp-hackers mailing list