-
diff --git a/src/wp-includes/class-wp-customize-manager.php b/src/wp-includes/class-wp-customize-manager.php
index 03732ca08a..7809608e69 100644
a
|
b
|
final class WP_Customize_Manager { |
2111 | 2111 | $exported_setting_validities = array_map( array( $this, 'prepare_setting_validity_for_js' ), $setting_validities ); |
2112 | 2112 | |
2113 | 2113 | // Note that the REQUEST_URI is not passed into home_url() since this breaks subdirectory installations. |
2114 | | $self_url = empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ); |
| 2114 | $self_url = empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : sanitize_url( wp_unslash( $_SERVER['REQUEST_URI'] ) ); |
2115 | 2115 | $state_query_params = array( |
2116 | 2116 | 'customize_theme', |
2117 | 2117 | 'customize_changeset_uuid', |
… |
… |
final class WP_Customize_Manager { |
2158 | 2158 | ), |
2159 | 2159 | 'url' => array( |
2160 | 2160 | 'self' => $self_url, |
2161 | | 'allowed' => array_map( 'esc_url_raw', $this->get_allowed_urls() ), |
| 2161 | 'allowed' => array_map( 'sanitize_url', $this->get_allowed_urls() ), |
2162 | 2162 | 'allowedHosts' => array_unique( $allowed_hosts ), |
2163 | 2163 | 'isCrossDomain' => $this->is_cross_domain(), |
2164 | 2164 | ), |
… |
… |
final class WP_Customize_Manager { |
4574 | 4574 | * @param string $preview_url URL to be previewed. |
4575 | 4575 | */ |
4576 | 4576 | public function set_preview_url( $preview_url ) { |
4577 | | $preview_url = esc_url_raw( $preview_url ); |
| 4577 | $preview_url = sanitize_url( $preview_url ); |
4578 | 4578 | $this->preview_url = wp_validate_redirect( $preview_url, home_url( '/' ) ); |
4579 | 4579 | } |
4580 | 4580 | |
… |
… |
final class WP_Customize_Manager { |
4662 | 4662 | * @param string $return_url URL for return link. |
4663 | 4663 | */ |
4664 | 4664 | public function set_return_url( $return_url ) { |
4665 | | $return_url = esc_url_raw( $return_url ); |
| 4665 | $return_url = sanitize_url( $return_url ); |
4666 | 4666 | $return_url = remove_query_arg( wp_removable_query_args(), $return_url ); |
4667 | 4667 | $return_url = wp_validate_redirect( $return_url ); |
4668 | 4668 | $this->return_url = $return_url; |
… |
… |
final class WP_Customize_Manager { |
4894 | 4894 | '_canInstall' => current_user_can( 'install_themes' ), |
4895 | 4895 | ), |
4896 | 4896 | 'url' => array( |
4897 | | 'preview' => esc_url_raw( $this->get_preview_url() ), |
4898 | | 'return' => esc_url_raw( $this->get_return_url() ), |
4899 | | 'parent' => esc_url_raw( admin_url() ), |
4900 | | 'activated' => esc_url_raw( home_url( '/' ) ), |
4901 | | 'ajax' => esc_url_raw( admin_url( 'admin-ajax.php', 'relative' ) ), |
4902 | | 'allowed' => array_map( 'esc_url_raw', $this->get_allowed_urls() ), |
| 4897 | 'preview' => sanitize_url( $this->get_preview_url() ), |
| 4898 | 'return' => sanitize_url( $this->get_return_url() ), |
| 4899 | 'parent' => sanitize_url( admin_url() ), |
| 4900 | 'activated' => sanitize_url( home_url( '/' ) ), |
| 4901 | 'ajax' => sanitize_url( admin_url( 'admin-ajax.php', 'relative' ) ), |
| 4902 | 'allowed' => array_map( 'sanitize_url', $this->get_allowed_urls() ), |
4903 | 4903 | 'isCrossDomain' => $this->is_cross_domain(), |
4904 | | 'home' => esc_url_raw( home_url( '/' ) ), |
4905 | | 'login' => esc_url_raw( $login_url ), |
| 4904 | 'home' => sanitize_url( home_url( '/' ) ), |
| 4905 | 'login' => sanitize_url( $login_url ), |
4906 | 4906 | ), |
4907 | 4907 | 'browser' => array( |
4908 | 4908 | 'mobile' => wp_is_mobile(), |
… |
… |
final class WP_Customize_Manager { |
6006 | 6006 | return new WP_Error( 'invalid_value', __( 'Invalid value for background size.' ) ); |
6007 | 6007 | } |
6008 | 6008 | } elseif ( 'background_image' === $setting->id || 'background_image_thumb' === $setting->id ) { |
6009 | | $value = empty( $value ) ? '' : esc_url_raw( $value ); |
| 6009 | $value = empty( $value ) ? '' : sanitize_url( $value ); |
6010 | 6010 | } else { |
6011 | 6011 | return new WP_Error( 'unrecognized_setting', __( 'Unrecognized background setting.' ) ); |
6012 | 6012 | } |
… |
… |
final class WP_Customize_Manager { |
6079 | 6079 | * @return mixed |
6080 | 6080 | */ |
6081 | 6081 | public function _validate_external_header_video( $validity, $value ) { |
6082 | | $video = esc_url_raw( $value ); |
| 6082 | $video = sanitize_url( $value ); |
6083 | 6083 | if ( $video ) { |
6084 | 6084 | if ( ! preg_match( '#^https?://(?:www\.)?(?:youtube\.com/watch|youtu\.be/)#', $video ) ) { |
6085 | 6085 | $validity->add( 'invalid_url', __( 'Please enter a valid YouTube URL.' ) ); |
… |
… |
final class WP_Customize_Manager { |
6097 | 6097 | * @return string Sanitized URL. |
6098 | 6098 | */ |
6099 | 6099 | public function _sanitize_external_header_video( $value ) { |
6100 | | return esc_url_raw( trim( $value ) ); |
| 6100 | return sanitize_url( trim( $value ) ); |
6101 | 6101 | } |
6102 | 6102 | |
6103 | 6103 | /** |
-
diff --git a/src/wp-includes/class-wp-theme.php b/src/wp-includes/class-wp-theme.php
index c2398fb4eb..2e313c4c3b 100644
a
|
b
|
final class WP_Theme implements ArrayAccess { |
888 | 888 | break; |
889 | 889 | case 'ThemeURI': |
890 | 890 | case 'AuthorURI': |
891 | | $value = esc_url_raw( $value ); |
| 891 | $value = sanitize_url( $value ); |
892 | 892 | break; |
893 | 893 | case 'Tags': |
894 | 894 | $value = array_filter( array_map( 'trim', explode( ',', strip_tags( $value ) ) ) ); |
-
diff --git a/src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php b/src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php
index 8e35e32238..b0e3ae4a5e 100644
a
|
b
|
class WP_Customize_Nav_Menu_Item_Setting extends WP_Customize_Setting { |
726 | 726 | $menu_item_value['description'] = wp_unslash( apply_filters( 'content_save_pre', wp_slash( $menu_item_value['description'] ) ) ); |
727 | 727 | |
728 | 728 | if ( '' !== $menu_item_value['url'] ) { |
729 | | $menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] ); |
| 729 | $menu_item_value['url'] = sanitize_url( $menu_item_value['url'] ); |
730 | 730 | if ( '' === $menu_item_value['url'] ) { |
731 | 731 | return new WP_Error( 'invalid_url', __( 'Invalid URL.' ) ); // Fail sanitization if URL is invalid. |
732 | 732 | } |
-
diff --git a/src/wp-includes/default-filters.php b/src/wp-includes/default-filters.php
index 391796517c..25d98ede38 100644
a
|
b
|
foreach ( array( |
72 | 72 | 'pre_post_guid', |
73 | 73 | ) as $filter ) { |
74 | 74 | add_filter( $filter, 'wp_strip_all_tags' ); |
75 | | add_filter( $filter, 'esc_url_raw' ); |
| 75 | add_filter( $filter, 'sanitize_url' ); |
76 | 76 | add_filter( $filter, 'wp_filter_kses' ); |
77 | 77 | } |
78 | 78 | |
-
diff --git a/src/wp-includes/deprecated.php b/src/wp-includes/deprecated.php
index ec4c4678f5..ff6ce82497 100644
a
|
b
|
function get_link( $bookmark_id, $output = OBJECT, $filter = 'raw' ) { |
2041 | 2041 | */ |
2042 | 2042 | function clean_url( $url, $protocols = null, $context = 'display' ) { |
2043 | 2043 | if ( $context == 'db' ) |
2044 | | _deprecated_function( 'clean_url( $context = \'db\' )', '3.0.0', 'esc_url_raw()' ); |
| 2044 | _deprecated_function( 'clean_url( $context = \'db\' )', '3.0.0', 'sanitize_url()' ); |
2045 | 2045 | else |
2046 | 2046 | _deprecated_function( __FUNCTION__, '3.0.0', 'esc_url()' ); |
2047 | 2047 | return esc_url( $url, $protocols, $context ); |
-
diff --git a/src/wp-includes/embed.php b/src/wp-includes/embed.php
index bc0806e1e2..f894578ad8 100644
a
|
b
|
function get_post_embed_url( $post = null ) { |
426 | 426 | * @param string $embed_url The post embed URL. |
427 | 427 | * @param WP_Post $post The corresponding post object. |
428 | 428 | */ |
429 | | return esc_url_raw( apply_filters( 'post_embed_url', $embed_url, $post ) ); |
| 429 | return sanitize_url( apply_filters( 'post_embed_url', $embed_url, $post ) ); |
430 | 430 | } |
431 | 431 | |
432 | 432 | /** |
-
diff --git a/src/wp-includes/general-template.php b/src/wp-includes/general-template.php
index d2ad7373f2..6ab4f4dd39 100644
a
|
b
|
function get_the_generator( $type = '' ) { |
4759 | 4759 | $gen = '<generator uri="https://wordpress.org/" version="' . esc_attr( get_bloginfo_rss( 'version' ) ) . '">WordPress</generator>'; |
4760 | 4760 | break; |
4761 | 4761 | case 'rss2': |
4762 | | $gen = '<generator>' . esc_url_raw( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '</generator>'; |
| 4762 | $gen = '<generator>' . sanitize_url( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '</generator>'; |
4763 | 4763 | break; |
4764 | 4764 | case 'rdf': |
4765 | | $gen = '<admin:generatorAgent rdf:resource="' . esc_url_raw( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '" />'; |
| 4765 | $gen = '<admin:generatorAgent rdf:resource="' . sanitize_url( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '" />'; |
4766 | 4766 | break; |
4767 | 4767 | case 'comment': |
4768 | 4768 | $gen = '<!-- generator="WordPress/' . esc_attr( get_bloginfo( 'version' ) ) . '" -->'; |
-
diff --git a/src/wp-includes/link-template.php b/src/wp-includes/link-template.php
index dbebd3bded..fc1a89fd29 100644
a
|
b
|
function adjacent_post_link( $format, $link, $in_same_term = false, $excluded_te |
2343 | 2343 | * |
2344 | 2344 | * @param int $pagenum Optional. Page number. Default 1. |
2345 | 2345 | * @param bool $escape Optional. Whether to escape the URL for display, with esc_url(). Defaults to true. |
2346 | | * Otherwise, prepares the URL with esc_url_raw(). |
| 2346 | * Otherwise, prepares the URL with sanitize_url(). |
2347 | 2347 | * @return string The link URL for the given page number. |
2348 | 2348 | */ |
2349 | 2349 | function get_pagenum_link( $pagenum = 1, $escape = true ) { |
… |
… |
function get_pagenum_link( $pagenum = 1, $escape = true ) { |
2410 | 2410 | if ( $escape ) { |
2411 | 2411 | return esc_url( $result ); |
2412 | 2412 | } else { |
2413 | | return esc_url_raw( $result ); |
| 2413 | return sanitize_url( $result ); |
2414 | 2414 | } |
2415 | 2415 | } |
2416 | 2416 | |
-
diff --git a/src/wp-includes/ms-deprecated.php b/src/wp-includes/ms-deprecated.php
index c06f35ddc5..9085545bdd 100644
a
|
b
|
function get_blogaddress_by_domain( $domain, $path ) { |
378 | 378 | $url = 'http://' . $domain . $path; |
379 | 379 | } |
380 | 380 | } |
381 | | return esc_url_raw( $url ); |
| 381 | return sanitize_url( $url ); |
382 | 382 | } |
383 | 383 | |
384 | 384 | /** |
-
diff --git a/src/wp-includes/nav-menu.php b/src/wp-includes/nav-menu.php
index 24a7fc66ef..63969287d7 100644
a
|
b
|
function wp_update_nav_menu_item( $menu_id = 0, $menu_item_db_id = 0, $menu_item |
573 | 573 | $args['menu-item-xfn'] = implode( ' ', array_map( 'sanitize_html_class', explode( ' ', $args['menu-item-xfn'] ) ) ); |
574 | 574 | update_post_meta( $menu_item_db_id, '_menu_item_classes', $args['menu-item-classes'] ); |
575 | 575 | update_post_meta( $menu_item_db_id, '_menu_item_xfn', $args['menu-item-xfn'] ); |
576 | | update_post_meta( $menu_item_db_id, '_menu_item_url', esc_url_raw( $args['menu-item-url'] ) ); |
| 576 | update_post_meta( $menu_item_db_id, '_menu_item_url', sanitize_url( $args['menu-item-url'] ) ); |
577 | 577 | |
578 | 578 | if ( 0 == $menu_id ) { |
579 | 579 | update_post_meta( $menu_item_db_id, '_menu_item_orphaned', (string) time() ); |
-
diff --git a/src/wp-includes/rest-api.php b/src/wp-includes/rest-api.php
index f05142baac..81156911c3 100644
a
|
b
|
function rest_send_cors_headers( $value ) { |
710 | 710 | if ( $origin ) { |
711 | 711 | // Requests from file:// and data: URLs send "Origin: null". |
712 | 712 | if ( 'null' !== $origin ) { |
713 | | $origin = esc_url_raw( $origin ); |
| 713 | $origin = sanitize_url( $origin ); |
714 | 714 | } |
715 | 715 | header( 'Access-Control-Allow-Origin: ' . $origin ); |
716 | 716 | header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' ); |
… |
… |
function rest_output_link_header() { |
993 | 993 | return; |
994 | 994 | } |
995 | 995 | |
996 | | header( sprintf( 'Link: <%s>; rel="https://api.w.org/"', esc_url_raw( $api_root ) ), false ); |
| 996 | header( sprintf( 'Link: <%s>; rel="https://api.w.org/"', sanitize_url( $api_root ) ), false ); |
997 | 997 | |
998 | 998 | $resource = rest_get_queried_resource_route(); |
999 | 999 | |
1000 | 1000 | if ( $resource ) { |
1001 | | header( sprintf( 'Link: <%s>; rel="alternate"; type="application/json"', esc_url_raw( rest_url( $resource ) ) ), false ); |
| 1001 | header( sprintf( 'Link: <%s>; rel="alternate"; type="application/json"', sanitize_url( rest_url( $resource ) ) ), false ); |
1002 | 1002 | } |
1003 | 1003 | } |
1004 | 1004 | |
… |
… |
function rest_sanitize_value_from_schema( $value, $args, $param = '' ) { |
2795 | 2795 | return sanitize_text_field( $value ); |
2796 | 2796 | |
2797 | 2797 | case 'uri': |
2798 | | return esc_url_raw( $value ); |
| 2798 | return sanitize_url( $value ); |
2799 | 2799 | |
2800 | 2800 | case 'ip': |
2801 | 2801 | return sanitize_text_field( $value ); |
-
diff --git a/src/wp-includes/rest-api/class-wp-rest-server.php b/src/wp-includes/rest-api/class-wp-rest-server.php
index c38914c7bf..19b362a4ca 100644
a
|
b
|
class WP_REST_Server { |
284 | 284 | |
285 | 285 | $api_root = get_rest_url(); |
286 | 286 | if ( ! empty( $api_root ) ) { |
287 | | $this->send_header( 'Link', '<' . esc_url_raw( $api_root ) . '>; rel="https://api.w.org/"' ); |
| 287 | $this->send_header( 'Link', '<' . sanitize_url( $api_root ) . '>; rel="https://api.w.org/"' ); |
288 | 288 | } |
289 | 289 | |
290 | 290 | /* |
-
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php
index f25be71bef..825833505d 100644
a
|
b
|
class WP_REST_Menu_Items_Controller extends WP_REST_Posts_Controller { |
860 | 860 | return true; |
861 | 861 | } |
862 | 862 | |
863 | | if ( esc_url_raw( $url ) ) { |
| 863 | if ( sanitize_url( $url ) ) { |
864 | 864 | return true; |
865 | 865 | } |
866 | 866 | |
-
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-url-details-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-url-details-controller.php
index b7d58faefa..c9ac6675d0 100644
a
|
b
|
class WP_REST_URL_Details_Controller extends WP_REST_Controller { |
45 | 45 | 'required' => true, |
46 | 46 | 'description' => __( 'The URL to process.' ), |
47 | 47 | 'validate_callback' => 'wp_http_validate_url', |
48 | | 'sanitize_callback' => 'esc_url_raw', |
| 48 | 'sanitize_callback' => 'sanitize_url', |
49 | 49 | 'type' => 'string', |
50 | 50 | 'format' => 'uri', |
51 | 51 | ), |
-
diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php
index ae68e688f8..61e8a1d210 100644
a
|
b
|
function wp_default_packages_inline_scripts( $scripts ) { |
337 | 337 | 'wp-api-fetch', |
338 | 338 | sprintf( |
339 | 339 | 'wp.apiFetch.use( wp.apiFetch.createRootURLMiddleware( "%s" ) );', |
340 | | esc_url_raw( get_rest_url() ) |
| 340 | sanitize_url( get_rest_url() ) |
341 | 341 | ), |
342 | 342 | 'after' |
343 | 343 | ); |
… |
… |
function wp_default_scripts( $scripts ) { |
750 | 750 | 'wp-api-request', |
751 | 751 | 'wpApiSettings', |
752 | 752 | array( |
753 | | 'root' => esc_url_raw( get_rest_url() ), |
| 753 | 'root' => sanitize_url( get_rest_url() ), |
754 | 754 | 'nonce' => wp_installing() ? '' : wp_create_nonce( 'wp_rest' ), |
755 | 755 | 'versionString' => 'wp/v2/', |
756 | 756 | ) |
-
diff --git a/src/wp-includes/theme.php b/src/wp-includes/theme.php
index 55e2d13789..2e7e1dbbb8 100644
a
|
b
|
function get_header_image() { |
1179 | 1179 | $url = get_random_header_image(); |
1180 | 1180 | } |
1181 | 1181 | |
1182 | | return esc_url_raw( set_url_scheme( $url ) ); |
| 1182 | return sanitize_url( set_url_scheme( $url ) ); |
1183 | 1183 | } |
1184 | 1184 | |
1185 | 1185 | /** |
… |
… |
function get_uploaded_header_images() { |
1428 | 1428 | } |
1429 | 1429 | |
1430 | 1430 | foreach ( (array) $headers as $header ) { |
1431 | | $url = esc_url_raw( wp_get_attachment_url( $header->ID ) ); |
| 1431 | $url = sanitize_url( wp_get_attachment_url( $header->ID ) ); |
1432 | 1432 | $header_data = wp_get_attachment_metadata( $header->ID ); |
1433 | 1433 | $header_index = $header->ID; |
1434 | 1434 | |
… |
… |
function get_header_video_url() { |
1589 | 1589 | return false; |
1590 | 1590 | } |
1591 | 1591 | |
1592 | | return esc_url_raw( set_url_scheme( $url ) ); |
| 1592 | return sanitize_url( set_url_scheme( $url ) ); |
1593 | 1593 | } |
1594 | 1594 | |
1595 | 1595 | /** |
… |
… |
function _custom_background_cb() { |
1806 | 1806 | $style = $color ? "background-color: #$color;" : ''; |
1807 | 1807 | |
1808 | 1808 | if ( $background ) { |
1809 | | $image = ' background-image: url("' . esc_url_raw( $background ) . '");'; |
| 1809 | $image = ' background-image: url("' . sanitize_url( $background ) . '");'; |
1810 | 1810 | |
1811 | 1811 | // Background Position. |
1812 | 1812 | $position_x = get_theme_mod( 'background_position_x', get_theme_support( 'custom-background', 'default-position-x' ) ); |
… |
… |
function get_editor_stylesheets() { |
2146 | 2146 | // Support externally referenced styles (like, say, fonts). |
2147 | 2147 | foreach ( $editor_styles as $key => $file ) { |
2148 | 2148 | if ( preg_match( '~^(https?:)?//~', $file ) ) { |
2149 | | $stylesheets[] = esc_url_raw( $file ); |
| 2149 | $stylesheets[] = sanitize_url( $file ); |
2150 | 2150 | unset( $editor_styles[ $key ] ); |
2151 | 2151 | } |
2152 | 2152 | } |
-
diff --git a/src/wp-includes/update.php b/src/wp-includes/update.php
index 1c9a7cbeb6..04c8aa3ec2 100644
a
|
b
|
function wp_update_plugins( $extra_stats = array() ) { |
430 | 430 | continue; |
431 | 431 | } |
432 | 432 | |
433 | | $hostname = wp_parse_url( esc_url_raw( $plugin_data['UpdateURI'] ), PHP_URL_HOST ); |
| 433 | $hostname = wp_parse_url( sanitize_url( $plugin_data['UpdateURI'] ), PHP_URL_HOST ); |
434 | 434 | |
435 | 435 | /** |
436 | 436 | * Filters the update response for a given plugin hostname. |
-
diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index 0511a8a890..b36619ac9a 100644
a
|
b
|
All at ###SITENAME### |
4158 | 4158 | $content = str_replace( '###SITENAME###', $email_data['sitename'], $content ); |
4159 | 4159 | $content = str_replace( '###USER_EMAIL###', $email_data['user_email'], $content ); |
4160 | 4160 | $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content ); |
4161 | | $content = str_replace( '###MANAGE_URL###', esc_url_raw( $email_data['manage_url'] ), $content ); |
4162 | | $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content ); |
| 4161 | $content = str_replace( '###MANAGE_URL###', sanitize_url( $email_data['manage_url'] ), $content ); |
| 4162 | $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content ); |
4163 | 4163 | |
4164 | 4164 | $headers = ''; |
4165 | 4165 | |
… |
… |
All at ###SITENAME### |
4399 | 4399 | |
4400 | 4400 | $content = str_replace( '###SITENAME###', $email_data['sitename'], $content ); |
4401 | 4401 | $content = str_replace( '###PRIVACY_POLICY_URL###', $email_data['privacy_policy_url'], $content ); |
4402 | | $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content ); |
| 4402 | $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content ); |
4403 | 4403 | |
4404 | 4404 | $headers = ''; |
4405 | 4405 | |
… |
… |
All at ###SITENAME### |
4720 | 4720 | $content = apply_filters( 'user_request_action_email_content', $content, $email_data ); |
4721 | 4721 | |
4722 | 4722 | $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content ); |
4723 | | $content = str_replace( '###CONFIRM_URL###', esc_url_raw( $email_data['confirm_url'] ), $content ); |
| 4723 | $content = str_replace( '###CONFIRM_URL###', sanitize_url( $email_data['confirm_url'] ), $content ); |
4724 | 4724 | $content = str_replace( '###EMAIL###', $email_data['email'], $content ); |
4725 | 4725 | $content = str_replace( '###SITENAME###', $email_data['sitename'], $content ); |
4726 | | $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content ); |
| 4726 | $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content ); |
4727 | 4727 | |
4728 | 4728 | $headers = ''; |
4729 | 4729 | |
-
diff --git a/src/wp-includes/widgets.php b/src/wp-includes/widgets.php
index 4aaa6112b2..639c59afa1 100644
a
|
b
|
function wp_widget_rss_process( $widget_rss, $check_feed = true ) { |
1767 | 1767 | if ( $items < 1 || 20 < $items ) { |
1768 | 1768 | $items = 10; |
1769 | 1769 | } |
1770 | | $url = esc_url_raw( strip_tags( $widget_rss['url'] ) ); |
| 1770 | $url = sanitize_url( strip_tags( $widget_rss['url'] ) ); |
1771 | 1771 | $title = isset( $widget_rss['title'] ) ? trim( strip_tags( $widget_rss['title'] ) ) : ''; |
1772 | 1772 | $show_summary = isset( $widget_rss['show_summary'] ) ? (int) $widget_rss['show_summary'] : 0; |
1773 | 1773 | $show_author = isset( $widget_rss['show_author'] ) ? (int) $widget_rss['show_author'] : 0; |