diff --git a/src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php b/src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php
index b5ce2e3cf4..df5050d195 100644
a
|
b
|
public function sanitize( $menu_item_value ) { |
711 | 711 | $menu_item_value['description'] = wp_unslash( apply_filters( 'content_save_pre', wp_slash( $menu_item_value['description'] ) ) ); |
712 | 712 | |
713 | 713 | if ( '' !== $menu_item_value['url'] ) { |
714 | | $menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] ); |
715 | | if ( '' === $menu_item_value['url'] ) { |
| 714 | // Validate URL with the same regex as on the frontend |
| 715 | if ( ! preg_match( '/^((\w+:)?\/\/\w.*|\w+:(?!\/\/$)|\/|\?|#)/', $menu_item_value['url'] ) ) { |
716 | 716 | return new WP_Error( 'invalid_url', __( 'Invalid URL.' ) ); // Fail sanitization if URL is invalid. |
717 | 717 | } |
| 718 | $menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] ); |
| 719 | } else { |
| 720 | return new WP_Error( 'invalid_url', __( 'Invalid URL.' ) ); // Fail sanitization if URL is empty. |
718 | 721 | } |
719 | 722 | if ( 'publish' !== $menu_item_value['status'] ) { |
720 | 723 | $menu_item_value['status'] = 'draft'; |