[wp-trac] [WordPress Trac] #49190: Consider escaping get_the_title() in default themes

Mon Jan 13 17:11:07 UTC 2020

#49190: Consider escaping get_the_title() in default themes
---------------------------+-----------------------------
 Reporter:  kjellr         |      Owner:  (none)
     Type:  defect (bug)   |     Status:  new
 Priority:  normal         |  Milestone:  Awaiting Review
Component:  Bundled Theme  |    Version:
 Severity:  normal         |   Keywords:
  Focuses:                 |
---------------------------+-----------------------------
 Twenty Twenty escapes `get_the_title()` using `esc_html()` in its
 `comments.php` file:

 https://themes.trac.wordpress.org/browser/twentytwenty/1.0/comments.php#L49

 {{{
 echo sprintf(
     /* translators: 1: number of comments, 2: post title */
     _nx(
             '%1$s reply on “%2$s”',
             '%1$s replies on “%2$s”',
             $comments_number,
             'comments title',
             'twentytwenty'
     ),
     number_format_i18n( $comments_number ),
     esc_html( get_the_title() )
 );
 }}}

 Elsewhere, the theme escapes `get_the_title()` using `wp_kses_post()`:

 https://themes.trac.wordpress.org/browser/twentytwenty/1.0/template-
 parts/navigation.php#L37

 {{{
 <span class="title"><span class="title-inner"><?php echo wp_kses_post(
 get_the_title( $prev_post->ID ) ); ?></span></span>
 }}}

 ----

 Escaping `get_the_title` one way or another seems like generally good
 practice, however none of the other default themes seem to do this
 regularly. For example:

 Twenty Nineteen:
 https://core.trac.wordpress.org/browser/tags/5.0/src/wp-
 content/themes/twentynineteen/comments.php#L52

 Twenty Seventeen:
 https://themes.trac.wordpress.org/browser/twentyseventeen/2.2/comments.php#L49

 Twenty Sixteen:
 https://themes.trac.wordpress.org/browser/twentysixteen/2.0/comments.php#L43

 Twenty Fifteen:
 https://themes.trac.wordpress.org/browser/twentyfifteen/2.5/comments.php#L43

 Twenty Fourteen:
 https://themes.trac.wordpress.org/browser/twentyfourteen/2.7/comments.php#L42

 Twenty Thirteen:
 https://themes.trac.wordpress.org/browser/twentythirteen/2.9/comments.php#L37

 Twenty Twelve:
 https://themes.trac.wordpress.org/browser/twentytwelve/2.9/comments.php#L36

 Twenty Eleven:
 https://themes.trac.wordpress.org/browser/twentyeleven/3.3/comments.php#L38

 Twenty Ten:
 https://themes.trac.wordpress.org/browser/twentyten/2.9/comments.php#L41

 Should those themes follow Twenty Twenty's lead and escaping
 `get_the_title()`?

 ----

 ''Additional relevant discussion in the _s repository, which many of these
 themes utilize:'' https://github.com/Automattic/_s/issues/1366/

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49190>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform