#17562 closed enhancement (fixed)
esc_url() printed by the_permalink()
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | 3.6 |
| Component: | Template | Version: | 3.2 |
| Severity: | normal | Keywords: | has-patch 3.4-early |
| Cc: | michael@… |
Description
Using Mark Jaquith's rule of escaping output as late as possible, I believe that it would be correct to use esc_url() on the output of the_permalink. It may be helpful in correcting mistakes in plugins that use the "the_permalink" filter as well.
Attachments (1)
Change History (10)
I would be interested to learn more about these cases. I use this function pretty liberally in my projects and would love to know in which situations it would double encode.
comment:4
alexkingorg — 20 months ago
This seems like the right thing to do to me as well. the_permalink() is a template function, so having output be escaped properly by default seems correct to me.
I don't believe it should lead to double-encoding issues.
comment:5
markjaquith — 20 months ago
esc_url() doesn't encode HTML entities beyond escaping level 1.
- & - level 0
- & - level 1
- & - level 2
- Keywords 3.4-early added; dev-feedback removed
- Milestone changed from Awaiting Review to Future Release
In themes I've recently worked on, I've been adding add_filter( 'the_permalink', 'esc_url' );. This is a pretty obvious change. Let's add this in 3.4-early.
Ultimately, it will cause some issues, but it will be rare: A) htmlspecialchars() is used, rather than esc_url() or nothing, and B) the URL actually has something to be encoded, which is not particularly common at least regarding ampersands.
comment:7
wonderboymusic — 4 months ago
- Milestone changed from Future Release to 3.6
- Owner set to nacin
- Resolution set to fixed
- Status changed from new to closed
In 23527:
Filter output of the_permalink() through esc_url() before printing.