esc_url() fails if the URL's scheme's case does not match the allowed protocol's case
|Reported by:||mdawaffe||Owned by:||nacin|
Steps to reproduce:
$url = esc_url( 'HTTP://example.com' ); var_dump( $url );
Although schemes are case-insensitive, the canonical form is lowercase and documents that specify schemes must do so with lowercase letters. An implementation should accept uppercase letters as equivalent to lowercase in scheme names (e.g., allow "HTTP" as well as "http") for the sake of robustness but should only produce lowercase scheme names for consistency.
Patch and unit tests attached.
Change History (12)
- Component changed from General to Validation
- Keywords has-patch added
- Owner set to nacin
- Resolution set to fixed
- Status changed from new to closed