WordPress.org

Ready to get started?Download WordPress

Forums

Regression in v1.5.2: Ticket #731 (1 post)

  1. alex_tingle
    Member
    Posted 8 years ago #

    I think ticket #731 "the_title() fed to JavaScript deletion confirmation should be sanitized" (http://trac.wordpress.org/ticket/731) should be reopened.

    When a post title contains a single quote, the title is incorrectly escaped, so that the 'Delete' link's 'onclick' target becomes invalid Javascript.

    Internet Explorer gives me syntax error dialogs. Both IE & Firefox fail to pop-up the 'are-you-sure' dialogue, and just delete the post.

    The code is in edit.php (line 217). The patch attached to #731 adds strip_tags(), but the code in 1.5.2 uses wp_specialchars(). The quote becomes '& # 0 3 9 ;' in the output HTML.

    (I've been round in circles over at 'trac' trying to create a new issue or add a comment to this one. Given up now, so I'm reporting it here. Fix your bug report system guys! I'm sure that it is *possible* to make a new bug report, but you don't make it easy or obvious.)

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags