[issue] Special HTML characters (<, >, &) in article titles

Etz Haim · 2005-09-26 22:57:06

Latest SVN revision: Special HTML characters (<, >, &) in article titles are not properly escaped. As a result, the output of <txp:page_title /> is invalid XHTML.

PS. Please use this instead of htmlspecialchars() to escape special HTML characters without mangling the non-ASCII characters of a string.

zem · 2005-09-27 00:58:03

Special HTML characters (<, >, &)

..yet the function you suggest doesn’t touch ‘&’.

Can you elaborate on the cases this is intended to fix please?

Last edited by zem (2005-09-27 01:07:16)

Etz Haim · 2005-09-27 12:07:11

> zem wrote:

> ..yet the function you suggest doesn’t touch ‘&’.

Indeed… and this also affects a patch I’ve sent to the dev-list. But you get the idea.

(trying to be more elaborate….)

For example, and article is titled “a > b is a conditional”, and <txp:page_title separator=" :: " /> outputs:

<title> My Site Name :: a > b is a conditional </title>

which is invalid XHTML. The expected output would be:

<title> My Site Name :: a &gt; b is a conditional </title>

Last edited by Etz Haim (2005-09-27 12:24:03)

zem · 2005-09-27 14:07:37

I checked in some code that I think helps here, though it’s still not clear to me (or perhaps anyone) exactly what characters can and can’t be in article titles.

Etz Haim · 2005-09-27 14:54:15

> zem wrote:

> it’s still not clear to me (or perhaps anyone) exactly what characters can and can’t be in article titles.

Indeed. If it helps, I think that quotes should are correctly escaped, in case the title is used inside a HTML attribute. Ampersands should also be escaped, and it was my mistake I hadn’t noticed the function I suggested doesn’t touch them.

zem · 2005-09-27 23:00:58

Ampersands should also be escaped, and it was my mistake I hadn’t noticed the function I suggested doesn’t touch them.

I’m not sure that is the case. I can find article titles containing numeric entities, but none containing raw ampersands.

Anyone have a counterexample?

Etz Haim · 2005-09-28 11:32:35

> zem wrote:

> I’m not sure that is the case. I can find article titles containing numeric entities, but none containing raw ampersands.

Yes you are right. But I’ve found article titles generated by <txp:title /> that contain ><‘s (using the latest SVN, of course, on a test site on TXD).

Last edited by Etz Haim (2005-09-28 11:35:35)

igner · 2005-10-07 13:39:01

Simply encoding all “<” and “>” creates issues with article titles that include markup (such as  or ). Since article titles get rendered in the body, I think barring the use of markup in titles is overly restrictive. Previously this worked properly in the body, though the <title> included the tags (so I’d get page titles like The New Pornographers, Mass Romantic). Now the page title is correct, but the body is incorrect.

Personally, I’d be content with allowing a strict subset of tags in titles – , ,  seems reasonable. From a logical perspective, perhaps the best solution would be to exclude the “allowed” tags from the encoding when the title is written to the database, then strip them out entirely in the page title.

Thoughts?

Etz Haim · 2005-10-07 15:15:02

What you’re suggesting is an abuse of HTML markup. The W3C validator will tell you that none of , ,  and the like can be embedded inside a <title> element.

igner · 2005-10-07 15:48:00

No, you misunderstand me.

exclude the “allowed” tags from the encoding when the title is written to the database, then strip them out entirely in the page title.

A single escaping scheme won’t work, since the article title gets used in two different elements depending on context: the <title> and <body>. When the article title appears in the <body> element (in either article list or individual article mode), , , etc. are perfectly valid within a title, but otherwise special characters still need to be escaped. When the article title gets appended to the <title> element, then strip out the otherwise acceptable tags entirely, and encode the remaining entities.

[Edited for typos and clarity]

Last edited by igner (2005-10-07 15:49:44)

wet · 2005-10-08 02:18:48

Wouldn’t it suffice if titles were entered with Textile markup as requested previously?

One would be able to use that aforementioned limited set of HTML markup (, ,..) without introducing actual need for escapement. Rev. 1002 introduces a per-article “use textile” preference which could be applied to titles as well in order to avoid undesired side effects.

zem · 2005-10-08 04:07:37

Wouldn’t it suffice if titles were entered with Textile markup as requested previously?

That won’t help with existing page titles.

Textpattern CMS

Textpattern CMS support forum

#1 2005-09-26 22:57:06

[issue] Special HTML characters (<, >, &) in article titles

#2 2005-09-27 00:58:03

Re: [issue] Special HTML characters (<, >, &) in article titles

#3 2005-09-27 12:07:11

Re: [issue] Special HTML characters (<, >, &) in article titles

#4 2005-09-27 14:07:37

Re: [issue] Special HTML characters (<, >, &) in article titles

#5 2005-09-27 14:54:15

Re: [issue] Special HTML characters (<, >, &) in article titles

#6 2005-09-27 23:00:58

Re: [issue] Special HTML characters (<, >, &) in article titles

#7 2005-09-28 11:32:35

Re: [issue] Special HTML characters (<, >, &) in article titles

#8 2005-10-07 13:39:01

Re: [issue] Special HTML characters (<, >, &) in article titles

#9 2005-10-07 15:15:02

Re: [issue] Special HTML characters (<, >, &) in article titles

#10 2005-10-07 15:48:00

Re: [issue] Special HTML characters (<, >, &) in article titles

#11 2005-10-08 02:18:48

Re: [issue] Special HTML characters (<, >, &) in article titles

#12 2005-10-08 04:07:37

Re: [issue] Special HTML characters (<, >, &) in article titles

Board footer