WordPress 1.5 Ampersand Escaping Bug

I found an irritating bug in WordPress 1.5: ampersands in blogroll URLs don’t get properly escaped. Thus, blogrolls that contains URL with ampersand in it don’t validate.

Quick fix: modify wp-includes/links.php around line 206 like this (add the line with + in front of it)

if (” != $target) {
$target = ” target=’$target'”;
+ $the_link = htmlspecialchars($the_link);


  1. Actually, I recommend using htmlentities2(), which will add encoding for entities, but only if they are not already encoded.

    For example, if you add a properly encoded url to your link manager, e.g. “http://example.com/?q=foo&z=bar”, htmlspecialchars will encode the amp, giving you:


    The htmlentities2() function detects already-encoded entities, and leaves them alone. (it’s found in wp-includes/functions.php, and the code came from php.net, BTW)

  2. #5: I’m not even sure if this is the correct place to fix that, the problem probably lies somewhere else. I haven’t checked the wordpress source code thoroughly.

    #6: Actually, I’m not very fond of this ‘dualism’, in this context and especially in comments. It should be either we escape all data, or we don’t escape them at all, or else we would have trouble unescaping. I would prefer escaping everything to be sure we are generating correct HTML. Comment posters can copy paste from character map if they really need to insert funny characters. If they need formatting, use something like wiki syntax, bbcode or markdown. No need to use hacks like balancetags. OK, enough rambling for now :)

    #7: That’s the real world example why I don’t like this escaping ‘dualism’. It is very hard to insert HTML in comments :)

  3. Satu hal yang terasa lebih manusiawi di site ini setelah upgrade itu apa coba? sy ndak ngeliat ada “Pesan untuk ganti pake firefox…” :-)

    Pesan ini bikin mehe, bukan apa-apa, saya browsing postingan blog itu pake Desktop RSS aggregator, jarang saya punya kesempatan buat blogwalking dengan browser. Masalahnya hampir semua RSS aggregator yang ada di windows itu make embedded HTML engine punyanya IE.

    moga-moga itu pesan ndak perlu dimunculin lagi deh. saran yang baik sebenarnya sih, cuman… agak mengganggu kenyamanan.. :-)

  4. #10, #11: iya tadi lagi ngoprek template, saya hilangkan deh kalau itu mengganggu. nanti saya cari cara lain untuk promo yang tidak intrusif :)

Leave a comment

Your email address will not be published. Required fields are marked *