Bug: Title attribute not properly escaped

  • I was looking through the markup on my site when I noticed this widget was outputing invalid HTML for posts whose title contains characters like " (quotation marks), for instance

    <a href="<url>" title="The Final 1 Champion Farisha Ishak: "When I Hugged My Family, The Tears Came"">

    This breaks the title attribute, although the widget still displays fine (because modern browser HTML parsers are not picky).

    I noticed that on line 1126 of wordpress-popularposts.php the developer used htmlspecialchars, but that wouldn’t be enough because the $title is displayed as an attribute and not as content between HTML tags. esc_attr should be used instead

    https://www.ads-software.com/plugins/wordpress-popular-posts/

Viewing 4 replies - 1 through 4 (of 4 total)

  • There are more bugs in this part of code. For example on line 1567 html_entity_decode is called. And of course everything works fine unless… title contains some html entities…

    Plugin Author Hector Cabrera

    (@hcabrera)

    Hi mediumdeviation,

    Thanks for the notice. Will use esc_attr instead!

    @krzysiek Dró?d?: why would the title contain HTML entities? Could you please post an example?

    why would the title contain HTML entities? Could you please post an example?

    And why wouldn’t it? WordPress allows you to do it. HTML tags and HTML entities aren’t stripped from (nor encoded in) title, so you can use them in there. (the_title filter does not encode htmlentities placed in title).

    I don’t remember what was the exact problem in this case, but I’m pretty sure it had something to do with placing &nbsp; or & or UTF-8 strings or HTML tags in title. (yes, you can do this).

    Generally problem is that you html_entity_decode some string that is result of concatenation of other strings, and you assume that all those strings are html_entities encoded, but they’re not.

    Plugin Author Hector Cabrera

    (@hcabrera)

    I see, thanks for the detailed explanation. Will think about it and see what I can do.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Bug: Title attribute not properly escaped’ is closed to new replies.