[wp-trac] [WordPress Trac] #33235: Drop strip_tags() for widget titles in forms
WordPress Trac
noreply at wordpress.org
Sun Aug 2 23:14:38 UTC 2015
#33235: Drop strip_tags() for widget titles in forms
--------------------------+-----------------------------
Reporter: greenshady | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Widgets | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
I was putting together a quick plugin to allow some basic HTML in widget
titles. I hit a snag when I realized that core handles the output of the
`title` field inconsistently in widget forms.
Basically, a few widgets run the `title` field through `strip_tags()`
before outputting the `<input>` field. All we really need is `esc_attr()`
in this case.
**Uses strip_tags() + esc_attr()**
* Archives
* Meta
* Calendar
* Text
**Uses esc_attr() only**
* Pages
* Search
* Categories
* Recent Posts
* Recent Comments
* Tag Cloud
* Nav Menu
I'm adding a patch so that these are treated consistently and simply
escaped with `esc_attr()`. If we want to keep the `strip_tags()`, it
should be done the same across the board.
Plugin for testing: https://github.com/justintadlock/widget-title-html
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33235>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list