[wp-hackers] Another bug as a result of markup in titles
Sabin Iacob
iacobs at m0n5t3r.info
Sun Mar 18 12:02:56 GMT 2007
Elliotte Harold wrote:
> That is, the link comes from the supplied title rather than the
> internal edit link for that post.
>
> I've only verified this in 2.0.7. If someone can verify it in
> 2.1.3/2.0.9 it would be worth filing a Trac.
>
> I suspect the fix involves removing links, and probably all other
> markup from the title before sticking it in the posts sidebar on the
> admin page.
>
> Still to be determined: are there other pages in the admin section
> that need this treatment? Can one inject JavaScript into the admin
> pages in this fashion?
>
checked in svn trunk; you get something like this:
<a href='post.php?action=edit&post=6'><a href="http://www.cafeaulait.org/">Is This a Security Issue?</a></a>
I think I saw some proposals to allow markup in titles in trac, and
people were generally against it, I didn't manage to find where the
shift in attitude occurred :)
More information about the wp-hackers
mailing list