[wp-trac] [WordPress Trac] #49190: Consider escaping get_the_title() in default themes
WordPress Trac
noreply at wordpress.org
Fri Jan 17 01:04:19 UTC 2020
#49190: Consider escaping get_the_title() in default themes
---------------------------+------------------------------
Reporter: kjellr | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Bundled Theme | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
---------------------------+------------------------------
Comment (by kjellr):
> WordPress core runs KSES on the post's title as it's saved so the
content in the database is considered safe. Therefore there is no need to
run wp_kses_post() on title. It's the same process that makes escaping
the_content() unnecessary.
That was my initial assumption, before seeing that suggestion in `_s`.
There's some conflicting information on the code reference page that
should be clarified:
https://developer.wordpress.org/reference/functions/get_the_title/#comment-2150
Searching around the web seems to result in similar confusion. Just as one
example, this CSS Tricks article initially suggested that
`get_the_title()` was escaped by default, only to reverse that via a post
update:
https://css-tricks.com/introduction-to-wordpress-front-end-security-
escaping-the-things/
In any case, if `get_the_title()` does not need to be escaped,
[attachment:"49190.diff"] should correct the use of `esc_html()`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49190#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list