[wp-trac] [WordPress Trac] #49190: Consider escaping get_the_title() in default themes

WordPress Trac noreply at wordpress.org
Thu Jan 16 21:46:46 UTC 2020


#49190: Consider escaping get_the_title() in default themes
---------------------------+------------------------------
 Reporter:  kjellr         |       Owner:  (none)
     Type:  defect (bug)   |      Status:  new
 Priority:  normal         |   Milestone:  Awaiting Review
Component:  Bundled Theme  |     Version:
 Severity:  normal         |  Resolution:
 Keywords:                 |     Focuses:
---------------------------+------------------------------

Comment (by kjellr):

 > It shouldn't be using esc_html() on the title, because titles can
 contain markup, so you've identified a bug in the comment.php.

 Makes sense! Would `wp_kses_post()` be a suitable replacement in these
 cases? It seems like we wouldn't want to eliminate those `em` or `bold`
 tags entirely, and something like `strip_tags()` or `esc_attr()` would do
 that.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49190#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list