id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
13051,admin_url() and site_url() shouldn't need esc_url(),alexkingorg,ryan,"I noticed that the 3.0 codeline includes the addition of esc_url() around admin_url() like:

esc_url(admin_url());

I believe that admin_url() and site_url() should be ""safe"" functions to use and should not need escaping. Perhaps they should call esc_url() internally?

I cannot think of a viable reason to allow unsafe results from admin_url() and site_url(), though perhaps there are some internationalization edge cases that I'm not aware of.

If you really need raw access to an unsafe value in wp_options, you can use get_option() to get to it.

Another issue to consider here is input validation and stripping before saving to these fields.

If this is approved in principle, I'd be happy to produce a diff against the current code base.

I think this is very important to address before 3.0 is released as it has a significant impact on theme and plugin developers.",defect (bug),new,normal,Future Release,Security,3.0,normal,,needs-patch 2nd-opinion,dkikizas@…