[wp-trac] [WordPress Trac] #11040: esc_attr() doesn't strip HTML tags
WordPress Trac
wp-trac at lists.automattic.com
Tue Oct 27 21:27:16 UTC 2009
#11040: esc_attr() doesn't strip HTML tags
-------------------------+--------------------------------------------------
Reporter: kingjeffrey | Type: defect (bug)
Status: new | Priority: normal
Milestone: 2.9 | Component: Formatting
Version: | Severity: normal
Keywords: needs-patch |
-------------------------+--------------------------------------------------
Comment(by scribu):
Replying to [comment:8 dd32]:
> I agree with filosofo, HTML entities are legal in attribue values (Not
only text areas, but input form elemens, Titles, other attr's). It should
be escaped appropriately for display rather than messing with the passed
content.
I didn't say they were illegal, I said they weren't useful in elements
other than textareas and inputs.
So, if esc_attr() isn't changed, why do we need esc_html() for? It's the
exact same code in both.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11040#comment:9>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list