Opened 4 months ago

Closed 2 months ago

#23266 closed defect (bug) (fixed)

Replace esc_attr() with esc_url() for form action URLs

Reported by: SergeyBiryukov Owned by: ryan
Priority: normal Milestone: 3.6
Component: Formatting Version:
Severity: normal Keywords: has-patch
Cc: DrewAPicture

Description

We use esc_attr() for form action URLs in some places. esc_url() should be used instead.

Attachments (1)

23266.patch (3.1 KB) - added by SergeyBiryukov 4 months ago.

Download all attachments as: .zip

Change History (6)

SergeyBiryukov4 months ago

comment:2   DrewAPicture4 months ago

  • Cc DrewAPicture added

+1. Probably wouldn't hurt to rope in some of the others that don't use escaping at all such as in several Multisite files and all over the place really.

I could only find a few instances where esc_url() was used in conjunction with admin_url(), self_admin_url(), site_url() and the like. Not sure if it's even needed.

Here's an ack of the files/lines lacking escaping or misusing esc_attr() as already covered in @SergeyBiryukov's patch: https://gist.github.com/4598774

comment:5   ryan2 months ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In 23739:

Escape form action urls with esc_url() rather than esc_attr().

Props SergeyBiryukov
fixes #23266

Note: See TracTickets for help on using tickets.