Hey Tony,

I've tested on my locally, if you enter the valid HTML code in discussion title e.g. :

Discussion title <img alt="My title" src="https://stackideas.cachefly.net/templates/delta/images/logo-stackideas.png" /> - test

It will strip the HTML tags correctly, so it will show like :

Discussion title - test

If you enter following post title the system will not strip it because this is not valid img html tag:

img alt="My title" src="https://stackideas.cachefly.net/templates/delta/images/logo-stackideas.png"; />

Imagine if the user want to post this kind of HTML attribute as title e..g img, alt, src or etc, it will not show on the post title.

Hello,

As my post states, you are not stripping all. To clarify further special characters in this essence.

So see my attached image this is of this post on this forum. You think that is acceptable?

You should be using a clean up script like this:

$value = strip_tags('img alt="My title" src="https://stackideas.cachefly.net/templates/delta/images/logo-stackideas.png" />');



$clean = preg_replace('/[^A-Za-z0-9]/', ' ', $value);



echo $clean;

Thanks for your suggested code, I will lock this issue into our issue tracker and we will see what we can do about it.

By the way, I'm curious, may i know what is the situation your user enter those html code into post title?

Hello Arlex,

The user was pasting it from his editor into the title.

It messed up the page display on our site because of it. Whilst a slight user error it still posses an issue as it just shouldn't be allowed. Or you should be encoding it on render.

Many thanks
Tony

You're welcome

Thanks for letting us know about it.