Greater than sign in HTML attribute not escaped properly
-
In a post I tried to insert a title attribute in an HTML < a > tag with a greater than sign in the title. This was with the default post editor, visual mode and insert/edit link button. The editor accepted this and displayed the post as expected. But when I published the post the “>” sign was included unchanged in the code output, producing invalid HTML and (in Chrome) not surprisingly a mangled display.
I went back and edited the code in HTML mode to replace the “>” sign with the string “>”. But the editor changed this string back to “>”. Thus there seems to be no way to include this character in a title attribute.
I would suggest that as part of the publication process characters like this within HTML attributes need to be escaped properly.
- The topic ‘Greater than sign in HTML attribute not escaped properly’ is closed to new replies.