Support » Fixing WordPress » HTML in Widget Titles

Viewing 4 replies - 1 through 4 (of 4 total)
  • Max


    Hmm, this may be of some help, I was actually looking at this today too for a site I was working on and was browsing the WP core code, and noticed there was a filter hook called “widget_title” that exists in wp-includes/default-widgets.php.

    I would imagine that possibly one may be able to create a filter that would allow this through, but I have not looked deeply enough into it yet, if I figure it out, I will update this…

    Scott Fennell


    (I am the original poster, just signed in from home, not at work, now)

    Well done, Max! I’ll write a snippet to strip the filters from that hook tomorrow. It wasn’t urgent enough for me today to dig in and find out if there was a hook for it but I sure am glad you did. More tomorrow…

    Theres demand for it alright, I can think of many scenarios where we woud want to do this.

    That would be very much appreciated Scott!

    Ah, this is tougher than I thought. I was hoping to be able to just use the remove_filter() funtion, but the world doesn’t work that way.

    Beware of hackiness below; proceed prepared to test and assess on your own…

    Option 1: Allow shortcodes in widget title:
    add_filter('widget_title', 'do_shortcode');

    With Option 1, the possibilities really are endless, but dang, that’s a lot of work to go through to just make some HTML tags. But, it’s as secure as shortcodes.

    Option 2:

    //allow html in widget title
    function lxb_change_widget_title($title)
        //convert square brackets to angle brackets
        $title = str_replace('[', '<', $title);
        $title = str_replace(']', '>', $title);
        //strip tags other than the allowed set
        $title = strip_tags($title, '<a><blink><br><span>');
        return $title;
    add_filter('widget_title', 'lxb_change_widget_title');

    With option 2, it’s a bit less work, but can expose your widget titles to script injection if you are not careful about what tags you allow. I’m really paranoid about security, if you can’t tell. I’m also wondering about compatibility with unicode characters in foreign languages (ie, the add_slashes vs msqli_real_escape_string issue).

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘HTML in Widget Titles’ is closed to new replies.