This makes no sense. Why is using the_title anywhere a security vulnerability in WordPress? https://codex.wordpress.org/Theme_Development#Theme_Testing_Process
Ha, this has been known about for awhile. Feel free to DM me
I’m not sure either. that was my best guess.
because it can be filtered?
I honestly don’t know, thus the question. Just seems like a template tag that should be escaped by default. codex.wordpress.org/Theme_Developm…
the codex says it is a security vulnerability, not sure how at this point can be something that should be kept in dark as to why.
Non-public disclosure
not sure what that adds to the discussion, or what a DM would solve. Would love more info on the subject though.
You need to escape when putting it into an attribute. If we always escaped it’d be mangled when outside attributes (primary/intended usage).