Regression in v1.5.2: Ticket #731

I think ticket #731 “the_title() fed to JavaScript deletion confirmation should be sanitized” (https://trac.www.ads-software.com/ticket/731) should be reopened.

When a post title contains a single quote, the title is incorrectly escaped, so that the ‘Delete’ link’s ‘onclick’ target becomes invalid Javascript.

Internet Explorer gives me syntax error dialogs. Both IE & Firefox fail to pop-up the ‘are-you-sure’ dialogue, and just delete the post.

The code is in edit.php (line 217). The patch attached to #731 adds strip_tags(), but the code in 1.5.2 uses wp_specialchars(). The quote becomes ‘& # 0 3 9 ;’ in the output HTML.

(I’ve been round in circles over at ‘trac’ trying to create a new issue or add a comment to this one. Given up now, so I’m reporting it here. Fix your bug report system guys! I’m sure that it is *possible* to make a new bug report, but you don’t make it easy or obvious.)