Ticket #4731 (closed defect: fixed)

Opened 1 year ago

Last modified 1 year ago

Inline tags in title attribute for post permalinks not stripped

Reported by: tarmiziaffandi Assigned to: anonymous
Priority: highest omg bbq Milestone: 2.3
Component: Template Version: 2.2.2
Severity: normal Keywords: has-patch dev-reviewed commit
Cc:

Description

Defect in the default theme.

Scenario

A WordPress (with the default theme active) user uses inline tags to format his post title: "My <em>example</em> post". But when he publishes the post, the resulting index page becomes XHTML invalid.

Defect

Here is an excerpt of the page source containing the mentioned invalid markup: 

<h2><a href="http://www.example.com/posts/my-example-post/" rel="bookmark" title="Permanent Link to My <em>example</em> post">My <em>example</em> post</a></h2>

Notice that the title attribute of the a element containing the permalink has inline HTML tags (<em> and </em> in this case), which comes from the post title, which are disallowed and considered invalid. The post title text itself is valid.

Cause

The markup comes from this code in the default theme source (index.php, line 10): 

<h2><a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent Link to <?php the_title(); ?>"><?php the_title(); ?></a></h2>

The first the_title() WordPress tag outputs the raw post title, which may contains inline HTML tags, thus making the resulting markup invalid. These tags should be stripped.

Suggested solution

The suggested solution to this problem is to strip any HTML tags resulting from the output of the the_title() tag in HTML attribute values (so that My <em>example</em> post becomes My example post). Here is my modification of the above code: 

<h2><a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent Link to <?php echo strip_tags(the_title('', '', false)); ?>"><?php the_title(); ?></a></h2>

The following files contain similar problems:

  • archive.php, line 36
  • attachment.php, line 14
  • search.php, line 18
  • single.php, line 13

Attachments

4731.diff (4.6 kB) - added by Nazgul on 08/29/07 00:39:07.
the_title_attribute.diff (5.1 kB) - added by ryan on 09/18/07 22:04:02.

Change History

08/14/07 17:08:09 changed by Nazgul

  • keywords set to needs-patch.
  • milestone changed from 2.2.3 to 2.3 (trunk).

08/29/07 00:39:07 changed by Nazgul

  • attachment 4731.diff added.

08/29/07 00:39:29 changed by Nazgul

  • keywords changed from needs-patch to has-patch.

09/18/07 20:01:25 changed by markjaquith

  • priority changed from high to highest omg bbq.

That's a lot of code... maybe we need the_title_attribute()

09/18/07 20:14:37 changed by ryan

Indeed, and it should use get_post_field with attribute as the context. Also, sanitize_post_field should issue attribute_* filters so we can attach strip_tags to attribute_post_field.

We can do a less involved implementation for 2.3 that doesn't involve the filtering.

09/18/07 22:04:02 changed by ryan

  • attachment the_title_attribute.diff added.

09/18/07 22:04:18 changed by ryan

Patch adds the_title_attribute().

09/18/07 22:34:56 changed by markjaquith

  • keywords changed from has-patch to has-patch dev-reviewed commit.

Only a minor nitpick here: the output of strlen() can never be negative, so you only need to test == 0 not <= 0

Looks good, and works in testing.

09/18/07 22:50:59 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [6132]) the_title_attribute(). Props Nazgul. fixes #4731