Support » Requests and Feedback » WordPress 2.1.2 does not escape < in post title

  • I posted something with < at the beginning of the post title and the title didn’t show up in the browser; indeed it was there as raw html (hello <script> ;), I guess this isn’t how it’s intended to be? I replaced it with < and now it’s fine.

Viewing 1 replies (of 1 total)
  • No, that’s exactly how it is intended to be.

    If you want to post raw HTML (such as scripts) then it will let you do just that. Users with lesser roles than Editor get their posts filtered. The Administrator and Editor do not.

    Specifically, there is a capability called “unfiltered_html”. Three guesses what that capability is for. 🙂

    More info here: http://codex.wordpress.org/Roles_and_Capabilities

Viewing 1 replies (of 1 total)
  • The topic ‘WordPress 2.1.2 does not escape < in post title’ is closed to new replies.