Greater than sign in HTML attribute not escaped properly

  • In a post I tried to insert a title attribute in an HTML < a > tag with a greater than sign in the title. This was with the default post editor, visual mode and insert/edit link button. The editor accepted this and displayed the post as expected. But when I published the post the “>” sign was included unchanged in the code output, producing invalid HTML and (in Chrome) not surprisingly a mangled display.

    I went back and edited the code in HTML mode to replace the “>” sign with the string “&gt;”. But the editor changed this string back to “>”. Thus there seems to be no way to include this character in a title attribute.

    I would suggest that as part of the publication process characters like this within HTML attributes need to be escaped properly.

Viewing 1 replies (of 1 total)
  • Thread Starter peterkirk

    (@peterkirk)

    Oh dear, the above was originally mangled because of a similar bug in the forum, which means that even the string ampersand-“a”-“m”-“p”-“;”-“g”-“t”-“;” was converted into a greater than sign, and even an escaped a attribute was turned into an actual attribute. After several attempts at editing I got it displaying more or less correct but I still had to leave a space between “<” and the following “a” to avoid this being misinterpreted as markup.

Viewing 1 replies (of 1 total)
  • The topic ‘Greater than sign in HTML attribute not escaped properly’ is closed to new replies.