[wp-hackers] Bug when post title contains > and "

Matt speedboxer at gmail.com
Sat Mar 17 19:21:56 GMT 2007 

I'm going to try to reproduce it in 2.1.3.

On 3/17/07, Robin Adrianse <robin.adr at gmail.com> wrote:
>
> Can you reproduce this in the SVN trunk (2.2) or 2.1?
>
> On 3/17/07, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> >
> > See
> >
> >
> http://www.elharo.com/blog/software-development/web-development/2007/03/17/a-strong-test-for-markup-in-titles-summaries/
> >
> > In brief create a post with this string as the title:
> >
> > A <strong style="color: green">Strong</strong> Test for Markup In Titles
> > &amp; Summaries
> >
> > Publish it and look at what WordPress puts out into the h1 header:
> >
> >              <h1 class="single"><a
> > href="
> >
> http://www.elharo.com/blog/software-development/web-development/2007/03/17/a-strong-test-for-markup-in-titles-summaries/
> > "
> > rel="bookmark" title="Permanent Link: A <strong style="color:
> > green">Strong</strong> Test for Markup In Titles &amp; Summaries">A
> > <strong style="color: green">Strong</strong> Test for Markup In Titles
> > &amp; Summaries</a></h1>
> >
> > The the_title_rss() function behaves appropriately. The bad text is
> > probably coming from the_title and single_post_title though I haven't
> > verified that yet.
> >
> > WordPress is stuffing the title text (including markup with < and > and
> > ") into a title attribute without sanitizing it first. I suspect I could
> > reproduce this just by using the " and > characters in a title without
> > explcitly putting tags into my title.
> >
> > Possibly this is a theme bug, but if so I bet Kubrick has this bug since
> > I don't think I ever changed that part of it. when building my own theme
> > on top of it. Here's the relevant code from the theme:
> >
> > <h2><a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent
> > Link to <?php the_title(); ?>"><?php the_title(); ?></a></h2>
> >
> > I'm not sure if the problem is in the the_title function or if the theme
> > should be calling a different function like the_title_rss (which
> > apparently strips markup)
> >
> > This has so far only been tested in 2.0.7.
> >
> > --
> > Elliotte Rusty Harold  elharo at metalab.unc.edu
> > Java I/O 2nd Edition Just Published!
> > http://www.cafeaulait.org/books/javaio2/
> > http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Matt (speedboxer at gmail.com)

More information about the wp-hackers mailing list