Ticket #4411: clean_url.diff

wp-includes/formatting.php

@@ -1075 +1075 @@
         return apply_filters('richedit_pre', $output);
 }
 
-function clean_url( $url, $protocols = null ) {
+function clean_url( $url, $protocols = null, $context = 'display' ) {
         if ('' == $url) return $url;
         $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%]|i', '', $url);
         $strip = array('%0d', '%0a');
@@ -1085 +1085 @@
         if ( strpos($url, '://') === false &&
                 substr( $url, 0, 1 ) != '/' && !preg_match('/^[a-z0-9-]+?\.php/i', $url) )
                 $url = 'http://' . $url;
-        
-        $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
+
+        if ( 'display' == $context )
+                $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
         if ( !is_array($protocols) )
                 $protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet'); 
         if ( wp_kses_bad_protocol( $url, $protocols ) != $url )

wp-includes/widgets.php

@@ -872 +872 @@
         $options = $newoptions = get_option('widget_rss');
         if ( $_POST["rss-submit-$number"] ) {
                 $newoptions[$number]['items'] = (int) $_POST["rss-items-$number"];
-                $url = clean_url(strip_tags(stripslashes($_POST["rss-url-$number"])));
+                $url = clean_url(strip_tags(stripslashes($_POST["rss-url-$number"])), '', 'save');
                 $newoptions[$number]['title'] = trim(strip_tags(stripslashes($_POST["rss-title-$number"])));
                 if ( $url !== $options[$number]['url'] ) {
                         require_once(ABSPATH . WPINC . '/rss.php');