[wp-trac] [WordPress Trac] #22436: escape recent posts widget post titles

WordPress Trac noreply at wordpress.org
Wed Nov 14 03:25:11 UTC 2012


#22436: escape recent posts widget post titles
--------------------------+------------------------------
 Reporter:  niallkennedy  |       Owner:
     Type:  enhancement   |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Widgets       |     Version:
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |
--------------------------+------------------------------
Changes (by nacin):

 * type:  defect (bug) => enhancement


Comment:

 We certainly don't need to escape the ID. I'm wondering about the title,
 though. Non-HTML content like a loose ampersand or angle bracket should
 indeed be encoded, but that doesn't mean we should be encoding other HTML
 found in titles. I'd much rather see italics if that's what the user
 added, than raw "<em>" and "</em>". Strip tags could work but that doesn't
 really respect what the user was aiming for.

 What we really need is a sane conversion of reserved characters (<>&"')
 used in post_title to their encoded equivalents, as long as they are not
 actually HTML. This should actually probably happen on save (it already
 does in part for ampersands, IIRC), outputted as-is for display, then be
 reversed for edit so the user is editing "<em>" and "5 < 6" just the same.
 Complicated, but no way around this.

 In the end, this isn't really a bug.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/22436#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list