[wp-trac] [WordPress Trac] #11040: esc_attr() doesn't strip HTML tags

WordPress Trac wp-trac at lists.automattic.com
Tue Oct 27 21:27:16 UTC 2009

#11040: esc_attr() doesn't strip HTML tags
 Reporter:  kingjeffrey  |        Type:  defect (bug)
   Status:  new          |    Priority:  normal      
Milestone:  2.9          |   Component:  Formatting  
  Version:               |    Severity:  normal      
 Keywords:  needs-patch  |  

Comment(by scribu):

 Replying to [comment:8 dd32]:
 > I agree with filosofo, HTML entities are legal in attribue values (Not
 only text areas, but input form elemens, Titles, other attr's). It should
 be escaped appropriately for display rather than messing with the passed

 I didn't say they were illegal, I said they weren't useful in elements
 other than textareas and inputs.

 So, if esc_attr() isn't changed, why do we need esc_html() for? It's the
 exact same code in both.

Ticket URL: <http://core.trac.wordpress.org/ticket/11040#comment:9>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list