Support » Requests and Feedback » Regression in v1.5.2: Ticket #731

  • I think ticket #731 “the_title() fed to JavaScript deletion confirmation should be sanitized” ( should be reopened.

    When a post title contains a single quote, the title is incorrectly escaped, so that the ‘Delete’ link’s ‘onclick’ target becomes invalid Javascript.

    Internet Explorer gives me syntax error dialogs. Both IE & Firefox fail to pop-up the ‘are-you-sure’ dialogue, and just delete the post.

    The code is in edit.php (line 217). The patch attached to #731 adds strip_tags(), but the code in 1.5.2 uses wp_specialchars(). The quote becomes ‘& # 0 3 9 ;’ in the output HTML.

    (I’ve been round in circles over at ‘trac’ trying to create a new issue or add a comment to this one. Given up now, so I’m reporting it here. Fix your bug report system guys! I’m sure that it is *possible* to make a new bug report, but you don’t make it easy or obvious.)

  • The topic ‘Regression in v1.5.2: Ticket #731’ is closed to new replies.