Escaping and Special Characters (e.g. &)

If I put <script>alert('hello');</script> in the title of a WordPress page with the default theme the script runs. This is expected behaviour. HTML is typically allowed in titles in WordPress. The standard WordPress function, the_title(), does not escape the title.

If you don’t want to allow script tags then you need to sanitize the input to strip out any unwanted tags when the post is saved. WordPress already does for users that don’t have the unfiltered_html capability. It does it by using the wp_kses_post() function (note that this function is too slow to use for escaping on the front-end).

If you only want to remove HTML tags, but not encode any other characters, then you should use the strip_tags() function. It looks like you use this in Twig with striptags:

{{ some_html|striptags }}

Related Posts:

  1. What characters do I need to escape in XML documents?
  2. What characters must be escaped in HTML 5?
  3. How can I selectively escape percent (%) in Python strings?
  4. How do I escape a single quote in jQuery?
  5. Escape Character in SQL Server
  6. How to escape apostrophe (‘) in MySql?
  7. Should HTML output be passed through esc_html() AND wp_kses()?
  8. How to prevent escaping when saving HTML code in an option value?
  9. How to correctly escape query variables to be used in WP_Query
  10. esc_attr / esc_html / esc_url in echos
  11. When do I need to use esc_html()? [duplicate]
  12. what’s different between esc_attr, htmlspecialchars and htmlentities
  13. Allow all attributes in $allowedposttags tags
  14. When outputting a static string to the page, is it necessary to escape the output?
  15. How Flexible are the WordPress Coding Standards for PHPCS?
  16. why is esc_html() returning nothing given a string containing a high-bit character?
  17. How to properly escape a translated string?
  18. Translate a Constant while appeasing WordPress PHPCS
  19. Using esc_url() on a url more than once
  20. Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
  21. How to allow &nbsp with wp_kses()?
  22. Using esc_attr_e
  23. Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
  24. Escaping crashes my output
  25. How to safely escape the title attribute
  26. How to safely escape data that contains HTML attributes
  27. Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
  28. Echoing a URL to a link
  29. wp_kses_post escaping doesn’t appear to work as described?
  30. file_get_contents | escaping doesnt show the page
  31. Help about Escaping
  32. How to keep specific tag from an html string?
  33. Escaping Issues
  34. Escaping get_option( ‘time_format’ ) is nesserary?
  35. How should esc_url be combined with trailingslashit?
  36. Correct way of using esc_attr() and esc_html()
  37. How to Git stash pop specific stash in 1.8.3?
  38. What are all the escape characters?
  39. Which characters need to be escaped when using Bash?
  40. Escape string Python for MySQL
  41. How do I use spaces in the Command Prompt?
  42. With “magic quotes” disabled, why does PHP/WordPress continue to auto-escape my POST data?
  43. Best Practice for PHP
  44. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  45. Escaping and sanitizing SVGs in metabox textarea
  46. Difference between esc_url() and esc_url_raw()
  47. Which WP functions do you need to use esc_html() or esc_url() on?
  48. What’s the difference between esc_* functions?
  49. What to use instead of wp_kses() in user output
  50. How to escape custom css?
  51. How to Use Wildcards in $wpdb Queries Using $wpdb->get_results & $wpdb->prepare?
  52. PHP Coding Standards, Widgets and Sanitization
  53. Should messages in WP_Error already be html escaped?
  54. When do I need to use esc_attr when using WordPress internal functions
  55. Disable escaping html
  56. Do you need to escape hard coded plain text?
  57. Escaping built-in WP function return strings
  58. How do I stop HTML entities in a custom meta box from being un-htmlentitied?
  59. Why should I escape translatable strings? and how shall i do that?
  60. esc_url not working within add_settings_field callback
  61. Do I need to use the esc_html() function on hard coded links?
  62. How Could I sanitize the receive data from this code
  63. Should you escape hardcoded URLs?
  64. Quotes being escaped inside wp_editor when saved with wp_kses_post
  65. When I re-save a post with [code] sections, the entities are double-escaped (> becomes > etc)
  66. Escape post image attachments added to template
  67. wp_query not searching with apostrophe
  68. Which escape function to use when escaping an email or plain text?
  69. Is Wrapping intval() Around esc_attr() Redundant for Escaping Input?
  70. Base64 & JSON Encode array in PHP, use as HTML data attribute, decode and parse in JavaScript …. with proper Escaping
  71. Something is unescaping all html entities before output to browser [closed]
  72. How to get my post title to work with an apostrophe (‘s)?
  73. Securing/Escaping Output of file content – reading via fread() in PHP
  74. WordPress stripping away backslashes from HTML
  75. esc_js() breaks unicode sequences by removing the slash ‘\’ character
  76. How to escape html generate by a loop
  77. How to escape multiple attribute at once in WordPress?
  78. Add HTML to Term Description
  79. Trouble inserting string containing quotations marks with wpdb in save_post hook
  80. How to be escape Variables and options when echo?
  81. Is there any solution, ide/tool etc., for automatic escaping for WordPress?
  82. product description text displays above website when in shop page [closed]
  83. Proper way to use esc_html__ and esc_attr__ etc for escaping value for translation
  84. ACF Unexpected T_CONSTANT_ENCAPSED_STRING [closed]
  85. How to pass an array as attribute of shortcode to work properly shortcode parser?
  86. how can i send this to wp_head – escape problem
  87. How to correctly escape an echo
  88. how to unescape wordpress output
  89. How to use wp_filter_oembed_result?
  90. Escaping a WPDB Object in One Shot
  91. Render the metabox input values as HTML
  92. Where is escaped the shortcode?
  93. Code auto escaping is not working when using short codes
  94. Escaping a shortcode so it displays as-is [duplicate]
  95. problem with quotes on new post
  96. Escaping data from database (users table) is necessary?
  97. Escaping admin_url output being passed to js (esc_js vs esc_url)
  98. how to escape alert/window.location.replace with variable
  99. Escaping inline JS correctly
  100. Is it necessary to use escape functions on everything or is it only necessary if you’re taking input from a 3rd party? (End Users, APIs, Etc.)