Titles aren’t being filtered – Gutenberg crashes

Hi @moviedebuts,

Sorry to hear you’ve been having trouble here.

I’m aware of this issue and I believe it was resolved in

https://github.com/WordPress/gutenberg/issues/34602#issuecomment-923901650

However, if you are on the latest version of the Gutenberg Plugin and you can still reproduce the error then please do recomment on that Issue (tag me @getdave) above with steps to reproduce and someone will take a look.

I’ll leave this post open for a while to allow you time to respond.

The title field should accept only numbers and letters. Right now it appears to accept any kind of junk.

The filtering code is in place, but the object replacement character was a special case which – because it was in use internally – was able to evade some of the filtering.

Can you provide any other specific examples of other characters that are evading the filtering mechanics?

I’ve brought up this issue various times over the last year and now it needs to be fixed.

Out of interest, please could you let me know where you have brought this up as I’d like to investigate why it wasn’t addresses earlier.

All the very best,

Here’s my post of a year ago:

https://www.ads-software.com/support/topic/title-bug-in-latest-gutenberg-plug/#post-13789231

Thanks.

@get_dave

I’m using the current version of the plugin and the ? code was not removed from the headline or the link:

Be Thrilled and Chilled for “Hunktoberfest” as Chippendales Create the Sexiest and Spookiest Playground for Halloween?

https://vegaspublicity.com/10698/be-thrilled-and-chilled-for-hunktoberfest-as-chippendales-create-the-sexiest-and-spookiest-playground-for-halloween%ef%bf%bc.html

@get_dave

Also, it’s not stripping out carriage returns. Anything pasted into the title field should result in one continuous line of clean characters.

Bryan

Be Thrilled and Chilled for “Hunktoberfest” as Chippendales Create the Sexiest and Spookiest Playground for Halloween?

I tried copying/pasting this exact text and it seemed to be clean in both editor and front end.

Also, it’s not stripping out carriage returns. Anything pasted into the title field should result in one continuous line of clean characters.

I pasted in a string of text with carriage returns in it and it creates

1. A title containing the content before the CR.
2. A paragraph block containing the content after the CR.

I believe that is an intention feature rather than an error.

If you see this error still exists then it would be greatly appreciated if you could raise an Issue report on the Gutenberg Github repo. Please include all the information the template requests to ensure it can be reproduced and debugged.

Looking forward to getting to the bottom of this.

@get_dave

I think what you cut & pasted was the browser’s graphic representation of the OBJ and not the object itself.

Just minutes ago, I had the problem again:

Celebrate International Day of the Nacho at Miracle Mile Shops?

And I also had another variation today. I copied a headline from a press release and it looked fine but when I posted the article the title was BOLD. The headline I cut & pasted had and tags in it. I had no way of knowing this until after the fact.

You should know by now that all this junk needs to be stripped out when a title is created. You already have the code in some of the sidebar fields.

Dave, I’m a content guy not a Github guy. It’s up to you to fix this properly.

Hi @moviedebuts

I’ll do what I can with the information you’ve provided.

I’ll leave this post open.

Hello @get_dave, we are having this issue. It only happen for editors using MacOs, but only shows at Windows machines.

If a MacOs user copy the headling from https://g1.globo.com/mt/mato-grosso/noticia/2022/03/08/mulher-que-matou-amiga-com-facada-no-peito-em-mt-e-condenada-a-10-anos-de-prisao.ghtml and paste into post title and hit save, it adds the [OBJ] or the url encode %ef%bf%bc.

Mulher é condenada a 10 anos de pris?o por matar a amiga com facada no peito em?

• This reply was modified 2 years, 8 months ago by egoncalves.com.br. Reason: adding extra info

This problem is far worse than I thought. The WP team doesn’t get this but a large percentage of us get our content via email. The people who send those emails often insert various tags including HTML – but when we cut & paste into WP we can’t see the tags!!!

That means all kinds of hidden HTML code can be hidden in a title and we might never notice.

This is not only a security risk but a useless feature that someone thought would be good. It isn’t. Anyone who wants bold titles should change it in the style sheet.

@get_dave – this was a big mistake. Please admit it and change the title field back to filter out everything except text.

incidentally, this had nothing to do with MacOS. I’m on Windows. And this problem bites me in the ass every day. The only way to fix it is to go to All Posts and do a quick edit on the title and link. This sucks. I’m tired of it.

@get_dave – It’s been almost a year since you made the terrible mistake of allowing HTML code in the titles. I explained the problems in the previous message including the security risk.

You fixed 500 bugs in the latest version of Gutenberg. Why hasn’t this been fixed?

Bryan Eggers

Hello @get_dave and all…

I wanted to add my voice to this issue and hopefully shed some more light on the problem.

For us it started by copy/pasting post titles that came from an email or Word Doc into the post title field.

Often, I would remember to use the paste without formatting command in OS X Option + Shift + Command + V and the problem would not occur.

Other times I would forget and simply use command v to paste the title. There was no indication of anything wrong as I created the post. It is only after the post was published. When I went back to the admin screen that show all the posts together in a list I would see the?OBJ next to the title.

The fix that I found for this was to edit the title (for example, remove one character), update the post and then replace the character I removed and update again. This would clear out the OBJ.

Now, I have noticed something even more interesting. I can add scripts into my titles. I can even link the title to another webpage! Below is a gif that shows this in action. This is on a clean install of WordPress (Version 6.1.1). I removed all the plugins and all the themes. The activated theme is Twenty Twenty-Three.

NOTE: please forgive my not closing the opening script tag in the video. I just realized I did that! Here is a screenshot of the same error.

Reference:

Issues when pasting into post title field
#38637
https://github.com/WordPress/gutenberg/issues/38637

Rich Text: also strip object replacement character when removing padding
#34851
https://github.com/WordPress/gutenberg/pull/34851

Object Replacement Character in post title crashes Gutenberg 11.4.0/11.4.1
#34602
https://github.com/WordPress/gutenberg/issues/34602

• This reply was modified 2 years ago by willhouse.
• This reply was modified 2 years ago by willhouse.
• This reply was modified 2 years ago by willhouse.
• This reply was modified 2 years ago by willhouse.
• This reply was modified 2 years ago by willhouse.
• This reply was modified 2 years ago by willhouse.

Allowing embedded code in titles was the stupidest idea the programmers ever introduced.
As you pointed out, this is also a potential security violation.

However, someone at WordPress thinks this is a great idea so they won’t fix it. They should be fired.

The title field should strip out all code leaving a continuous line of text.

This is another example of the programmers’ apparent need to screw around with everything including features that worked fine.

I’m really disgusted about this.