WordPress 2.1.2 does not escape < in post title (2 posts)

  1. SiD3WiNDR
    Posted 8 years ago #

    I posted something with < at the beginning of the post title and the title didn't show up in the browser; indeed it was there as raw html (hello <script> ;), I guess this isn't how it's intended to be? I replaced it with < and now it's fine.

  2. No, that's exactly how it is intended to be.

    If you want to post raw HTML (such as scripts) then it will let you do just that. Users with lesser roles than Editor get their posts filtered. The Administrator and Editor do not.

    Specifically, there is a capability called "unfiltered_html". Three guesses what that capability is for. :)

    More info here: http://codex.wordpress.org/Roles_and_Capabilities

Topic Closed

This topic has been closed to new replies.

About this Topic