If I put <script>alert('hello');</script>
in the title of a WordPress page with the default theme the script runs. This is expected behaviour. HTML is typically allowed in titles in WordPress. The standard WordPress function, the_title()
, does not escape the title.
If you don’t want to allow script tags then you need to sanitize the input to strip out any unwanted tags when the post is saved. WordPress already does for users that don’t have the unfiltered_html
capability. It does it by using the wp_kses_post()
function (note that this function is too slow to use for escaping on the front-end).
If you only want to remove HTML tags, but not encode any other characters, then you should use the strip_tags()
function. It looks like you use this in Twig with striptags
:
{{ some_html|striptags }}
Related Posts:
- What characters do I need to escape in XML documents?
- What characters must be escaped in HTML 5?
- How can I selectively escape percent (%) in Python strings?
- How do I escape a single quote in jQuery?
- Escape Character in SQL Server
- How to escape apostrophe (‘) in MySql?
- Should HTML output be passed through esc_html() AND wp_kses()?
- How to prevent escaping when saving HTML code in an option value?
- How to correctly escape query variables to be used in WP_Query
- esc_attr / esc_html / esc_url in echos
- When do I need to use esc_html()? [duplicate]
- what’s different between esc_attr, htmlspecialchars and htmlentities
- Allow all attributes in $allowedposttags tags
- When outputting a static string to the page, is it necessary to escape the output?
- How Flexible are the WordPress Coding Standards for PHPCS?
- why is esc_html() returning nothing given a string containing a high-bit character?
- How to properly escape a translated string?
- Translate a Constant while appeasing WordPress PHPCS
- Using esc_url() on a url more than once
- Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
- How to allow   with wp_kses()?
- Using esc_attr_e
- Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
- Escaping crashes my output
- How to safely escape the title attribute
- How to safely escape data that contains HTML attributes
- Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
- Echoing a URL to a link
- wp_kses_post escaping doesn’t appear to work as described?
- file_get_contents | escaping doesnt show the page
- Help about Escaping
- How to keep specific tag from an html string?
- Escaping Issues
- Escaping get_option( ‘time_format’ ) is nesserary?
- How to Git stash pop specific stash in 1.8.3?
- What are all the escape characters?
- Illegal Escape Character “\”
- Which characters need to be escaped when using Bash?
- What does it mean to escape a string?
- Invalid escape sequence (valid ones are \b \t \n \f \r \” \’ \\ )
- Escaping HTML strings with jQuery
- How do I escape ampersands in XML so they are rendered as entities in HTML?
- Should I escape wordpress functions like the_title, the_excerpt, the_content
- Best Practice for PHP
- Escaping and sanitizing SVGs in metabox textarea
- Sanitize and data validation with apply_filters() function
- Difference between esc_url() and esc_url_raw()
- What to use instead of wp_kses() in user output
- How to escape custom css?
- How to Use Wildcards in $wpdb Queries Using $wpdb->get_results & $wpdb->prepare?
- Escaping WP_Query tax_query when term has special character(s)
- Do I need to escape data passed to wp_localize_script()?
- Should messages in WP_Error already be html escaped?
- Escaping built-in WP function return strings
- How do I stop HTML entities in a custom meta box from being un-htmlentitied?
- Why should I escape translatable strings? and how shall i do that?
- esc_url not working within add_settings_field callback
- Do I need to use the esc_html() function on hard coded links?
- Prevent add_shortcode from escaping a tag
- Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
- wp_specialchars and wp_specialchars_decode in a shortcode plugin
- Sanitizing comments or escaping comment_text()
- Prevent escaping javascript in visual editor
- Sanitizing, Validating and Escaping in WordPress (Plugin)
- How Could I sanitize the receive data from this code
- Quotes being escaped inside wp_editor when saved with wp_kses_post
- When I re-save a post with [code] sections, the entities are double-escaped (> becomes > etc)
- Escape post image attachments added to template
- wp_query not searching with apostrophe
- Is it safe and good practice to use do_shortcode to escape?
- Post Content, Special Characters and Filters
- Something is unescaping all html entities before output to browser [closed]
- Securing/Escaping Output of file content – reading via fread() in PHP
- WordPress stripping away backslashes from HTML
- Updating post data on save (save_post vs wp_insert_post_data)
- What is the safe way to print tracking code / pixel code before tag or tag
- mysql_real_escape_string() vs. esc_sql() in WordPress
- How to escape html generate by a loop
- How to escape multiple attribute at once in WordPress?
- HTML escaping data with ajax requests
- Add HTML to Term Description
- Is there any solution, ide/tool etc., for automatic escaping for WordPress?
- How to allow single quote with esc_html__() without sprintf()
- Proper way to use esc_html__ and esc_attr__ etc for escaping value for translation
- Wrapping add_query_arg with esc_url not working
- ACF Unexpected T_CONSTANT_ENCAPSED_STRING [closed]
- How to pass an array as attribute of shortcode to work properly shortcode parser?
- wordpress post not showing my “” text>?
- how can i send this to wp_head – escape problem
- How to correctly escape an echo
- how to unescape wordpress output
- How to use wp_filter_oembed_result?
- Escaping a WPDB Object in One Shot
- Render the metabox input values as HTML
- How to make MySQL search queries with quotes
- Escape html structure in php
- site_url() returns with additional backslashes
- Code auto escaping is not working when using short codes
- problem with quotes on new post
- how to sanitizing $_POST with the correct way?