Make WordPress Core

Ticket #55852: 55852-5.diff

File 55852-5.diff, 32.7 KB (added by benjgrolleau, 2 years ago)
  • src/wp-admin/edit-tag-form.php

    diff --git a/src/wp-admin/edit-tag-form.php b/src/wp-admin/edit-tag-form.php
    index d0d8f4af5e..7c22cf471d 100644
    a b if ( $message ) { 
    8383<div id="message" class="notice notice-<?php echo $class; ?>">
    8484        <p><strong><?php echo $message; ?></strong></p>
    8585        <?php if ( $wp_http_referer ) { ?>
    86         <p><a href="<?php echo esc_url( wp_validate_redirect( esc_url_raw( $wp_http_referer ), admin_url( 'term.php?taxonomy=' . $taxonomy ) ) ); ?>">
     86        <p><a href="<?php echo esc_url( wp_validate_redirect( sanitize_url( $wp_http_referer ), admin_url( 'term.php?taxonomy=' . $taxonomy ) ) ); ?>">
    8787                <?php echo esc_html( $tax->labels->back_to_items ); ?>
    8888        </a></p>
    8989        <?php } ?>
  • src/wp-admin/edit-tags.php

    diff --git a/src/wp-admin/edit-tags.php b/src/wp-admin/edit-tags.php
    index c0bd5b2e35..3111c51069 100644
    a b switch ( $wp_list_table->current_action() ) { 
    160160                        wp_die( __( 'You attempted to edit an item that does not exist. Perhaps it was deleted?' ) );
    161161                }
    162162
    163                 wp_redirect( esc_url_raw( get_edit_term_link( $term_id, $taxonomy, $post_type ) ) );
     163                wp_redirect( sanitize_url( get_edit_term_link( $term_id, $taxonomy, $post_type ) ) );
    164164                exit;
    165165
    166166        case 'editedtag':
  • src/wp-admin/includes/ajax-actions.php

    diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
    index e39739883e..1714302437 100644
    a b function _wp_ajax_delete_comment_response( $comment_id, $delta = -1 ) { 
    431431        $total    = isset( $_POST['_total'] ) ? (int) $_POST['_total'] : 0;
    432432        $per_page = isset( $_POST['_per_page'] ) ? (int) $_POST['_per_page'] : 0;
    433433        $page     = isset( $_POST['_page'] ) ? (int) $_POST['_page'] : 0;
    434         $url      = isset( $_POST['_url'] ) ? esc_url_raw( $_POST['_url'] ) : '';
     434        $url      = isset( $_POST['_url'] ) ? sanitize_url( $_POST['_url'] ) : '';
    435435
    436436        // JS didn't send us everything we need to know. Just die with success message.
    437437        if ( ! $total || ! $per_page || ! $page || ! $url ) {
    function wp_ajax_send_link_to_editor() { 
    33333333                $src = 'http://' . $src;
    33343334        }
    33353335
    3336         $src = esc_url_raw( $src );
     3336        $src = sanitize_url( $src );
    33373337        if ( ! $src ) {
    33383338                wp_send_json_error();
    33393339        }
  • src/wp-admin/includes/class-custom-background.php

    diff --git a/src/wp-admin/includes/class-custom-background.php b/src/wp-admin/includes/class-custom-background.php
    index df246313f4..3cb560237c 100644
    a b class Custom_Background { 
    526526                wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $file ) );
    527527                update_post_meta( $id, '_wp_attachment_is_custom_background', get_option( 'stylesheet' ) );
    528528
    529                 set_theme_mod( 'background_image', esc_url_raw( $url ) );
     529                set_theme_mod( 'background_image', sanitize_url( $url ) );
    530530
    531531                $thumbnail = wp_get_attachment_image_src( $id, 'thumbnail' );
    532                 set_theme_mod( 'background_image_thumb', esc_url_raw( $thumbnail[0] ) );
     532                set_theme_mod( 'background_image_thumb', sanitize_url( $thumbnail[0] ) );
    533533
    534534                /** This action is documented in wp-admin/includes/class-custom-image-header.php */
    535535                do_action( 'wp_create_file_in_uploads', $file, $id ); // For replication.
    class Custom_Background { 
    618618
    619619                $url       = wp_get_attachment_image_src( $attachment_id, $size );
    620620                $thumbnail = wp_get_attachment_image_src( $attachment_id, 'thumbnail' );
    621                 set_theme_mod( 'background_image', esc_url_raw( $url[0] ) );
    622                 set_theme_mod( 'background_image_thumb', esc_url_raw( $thumbnail[0] ) );
     621                set_theme_mod( 'background_image', sanitize_url( $url[0] ) );
     622                set_theme_mod( 'background_image_thumb', sanitize_url( $thumbnail[0] ) );
    623623                exit;
    624624        }
    625625}
  • src/wp-admin/includes/class-custom-image-header.php

    diff --git a/src/wp-admin/includes/class-custom-image-header.php b/src/wp-admin/includes/class-custom-image-header.php
    index c5efc071e1..ffad8879bb 100644
    a b endif; 
    11591159                                return;
    11601160                        }
    11611161
    1162                         $choice['url'] = esc_url_raw( $choice['url'] );
     1162                        $choice['url'] = sanitize_url( $choice['url'] );
    11631163
    11641164                        $header_image_data = (object) array(
    11651165                                'attachment_id' => $choice['attachment_id'],
    endif; 
    11971197                        }
    11981198                }
    11991199
    1200                 set_theme_mod( 'header_image', esc_url_raw( $header_image_data['url'] ) );
     1200                set_theme_mod( 'header_image', sanitize_url( $header_image_data['url'] ) );
    12011201                set_theme_mod( 'header_image_data', $header_image_data );
    12021202        }
    12031203
  • src/wp-admin/includes/export.php

    diff --git a/src/wp-admin/includes/export.php b/src/wp-admin/includes/export.php
    index 852f7d54ad..14e21dce38 100644
    a b function export_wp( $args = array() ) { 
    632632                        <wp:comment_id><?php echo (int) $c->comment_ID; ?></wp:comment_id>
    633633                        <wp:comment_author><?php echo wxr_cdata( $c->comment_author ); ?></wp:comment_author>
    634634                        <wp:comment_author_email><?php echo wxr_cdata( $c->comment_author_email ); ?></wp:comment_author_email>
    635                         <wp:comment_author_url><?php echo esc_url_raw( $c->comment_author_url ); ?></wp:comment_author_url>
     635                        <wp:comment_author_url><?php echo sanitize_url( $c->comment_author_url ); ?></wp:comment_author_url>
    636636                        <wp:comment_author_IP><?php echo wxr_cdata( $c->comment_author_IP ); ?></wp:comment_author_IP>
    637637                        <wp:comment_date><?php echo wxr_cdata( $c->comment_date ); ?></wp:comment_date>
    638638                        <wp:comment_date_gmt><?php echo wxr_cdata( $c->comment_date_gmt ); ?></wp:comment_date_gmt>
  • src/wp-admin/includes/media.php

    diff --git a/src/wp-admin/includes/media.php b/src/wp-admin/includes/media.php
    index 95a29d5e52..56825012f0 100644
    a b function wp_media_upload_handler() { 
    917917                         * @param string $src   Media source URL.
    918918                         * @param string $title Media title.
    919919                         */
    920                         $html = apply_filters( "{$type}_send_to_editor_url", $html, esc_url_raw( $src ), $title );
     920                        $html = apply_filters( "{$type}_send_to_editor_url", $html, sanitize_url( $src ), $title );
    921921                } else {
    922922                        $align = '';
    923923                        $alt   = esc_attr( wp_unslash( $_POST['alt'] ) );
    function wp_media_upload_handler() { 
    942942                         * @param string $align The image alignment. Default 'alignnone'. Possible values include
    943943                         *                      'alignleft', 'aligncenter', 'alignright', 'alignnone'.
    944944                         */
    945                         $html = apply_filters( 'image_send_to_editor_url', $html, esc_url_raw( $src ), $alt, $align );
     945                        $html = apply_filters( 'image_send_to_editor_url', $html, sanitize_url( $src ), $alt, $align );
    946946                }
    947947
    948948                return media_send_to_editor( $html );
  • src/wp-admin/includes/post.php

    diff --git a/src/wp-admin/includes/post.php b/src/wp-admin/includes/post.php
    index 6621d8e090..a4dd6a0519 100644
    a b function edit_post( $post_data = null ) { 
    322322        foreach ( $format_meta_urls as $format_meta_url ) {
    323323                $keyed = '_format_' . $format_meta_url;
    324324                if ( isset( $post_data[ $keyed ] ) ) {
    325                         update_post_meta( $post_ID, $keyed, wp_slash( esc_url_raw( wp_unslash( $post_data[ $keyed ] ) ) ) );
     325                        update_post_meta( $post_ID, $keyed, wp_slash( sanitize_url( wp_unslash( $post_data[ $keyed ] ) ) ) );
    326326                }
    327327        }
    328328
  • src/wp-admin/includes/privacy-tools.php

    diff --git a/src/wp-admin/includes/privacy-tools.php b/src/wp-admin/includes/privacy-tools.php
    index 8b78752a85..f974ea8a5d 100644
    a b All at ###SITENAME### 
    706706        $content = apply_filters( 'wp_privacy_personal_data_email_content', $email_text, $request_id, $email_data );
    707707
    708708        $content = str_replace( '###EXPIRATION###', $expiration_date, $content );
    709         $content = str_replace( '###LINK###', esc_url_raw( $export_file_url ), $content );
     709        $content = str_replace( '###LINK###', sanitize_url( $export_file_url ), $content );
    710710        $content = str_replace( '###EMAIL###', $request_email, $content );
    711711        $content = str_replace( '###SITENAME###', $site_name, $content );
    712         $content = str_replace( '###SITEURL###', esc_url_raw( $site_url ), $content );
     712        $content = str_replace( '###SITEURL###', sanitize_url( $site_url ), $content );
    713713
    714714        $headers = '';
    715715
  • src/wp-admin/includes/theme.php

    diff --git a/src/wp-admin/includes/theme.php b/src/wp-admin/includes/theme.php
    index 3886a8eeff..177eb44cf9 100644
    a b function wp_prepare_themes_for_js( $themes = null ) { 
    712712                        $customize_action = esc_url(
    713713                                add_query_arg(
    714714                                        array(
    715                                                 'return' => urlencode( esc_url_raw( remove_query_arg( wp_removable_query_args(), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ),
     715                                                'return' => urlencode( sanitize_url( remove_query_arg( wp_removable_query_args(), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ),
    716716                                        ),
    717717                                        wp_customize_url( $slug )
    718718                                )
  • src/wp-admin/includes/user.php

    diff --git a/src/wp-admin/includes/user.php b/src/wp-admin/includes/user.php
    index 64b91fce19..ed6a91a4e2 100644
    a b function edit_user( $user_id = 0 ) { 
    8484                if ( empty( $_POST['url'] ) || 'http://' === $_POST['url'] ) {
    8585                        $user->user_url = '';
    8686                } else {
    87                         $user->user_url = esc_url_raw( $_POST['url'] );
     87                        $user->user_url = sanitize_url( $_POST['url'] );
    8888                        $protocols      = implode( '|', array_map( 'preg_quote', wp_allowed_protocols() ) );
    8989                        $user->user_url = preg_match( '/^(' . $protocols . '):/is', $user->user_url ) ? $user->user_url : 'http://' . $user->user_url;
    9090                }
  • src/wp-admin/network/site-info.php

    diff --git a/src/wp-admin/network/site-info.php b/src/wp-admin/network/site-info.php
    index b99f35ab20..8cad4ead2a 100644
    a b if ( isset( $_REQUEST['action'] ) && 'update-site' === $_REQUEST['action'] ) { 
    9090        $old_home_parsed = parse_url( $old_home_url );
    9191
    9292        if ( $old_home_parsed['host'] === $existing_details->domain && $old_home_parsed['path'] === $existing_details->path ) {
    93                 $new_home_url = untrailingslashit( esc_url_raw( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) );
     93                $new_home_url = untrailingslashit( sanitize_url( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) );
    9494                update_option( 'home', $new_home_url );
    9595        }
    9696
    if ( isset( $_REQUEST['action'] ) && 'update-site' === $_REQUEST['action'] ) { 
    9898        $old_site_parsed = parse_url( $old_site_url );
    9999
    100100        if ( $old_site_parsed['host'] === $existing_details->domain && $old_site_parsed['path'] === $existing_details->path ) {
    101                 $new_site_url = untrailingslashit( esc_url_raw( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) );
     101                $new_site_url = untrailingslashit( sanitize_url( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) );
    102102                update_option( 'siteurl', $new_site_url );
    103103        }
    104104
  • src/wp-admin/term.php

    diff --git a/src/wp-admin/term.php b/src/wp-admin/term.php
    index 55d1a7eb94..4d29b5d996 100644
    a b if ( empty( $_REQUEST['tag_ID'] ) ) { 
    2020                $sendback = add_query_arg( 'post_type', get_current_screen()->post_type, $sendback );
    2121        }
    2222
    23         wp_redirect( esc_url_raw( $sendback ) );
     23        wp_redirect( sanitize_url( $sendback ) );
    2424        exit;
    2525}
    2626
  • src/wp-admin/upgrade.php

    diff --git a/src/wp-admin/upgrade.php b/src/wp-admin/upgrade.php
    index e816c69d0b..1b1565aa45 100644
    a b else : 
    133133                case 0:
    134134                        $goback = wp_get_referer();
    135135                        if ( $goback ) {
    136                                 $goback = esc_url_raw( $goback );
     136                                $goback = sanitize_url( $goback );
    137137                                $goback = urlencode( $goback );
    138138                        }
    139139                        ?>
  • src/wp-admin/user-edit.php

    diff --git a/src/wp-admin/user-edit.php b/src/wp-admin/user-edit.php
    index c2e9e0c3a7..49faa4e22b 100644
    a b switch ( $action ) { 
    209209                                        <p><strong><?php _e( 'User updated.' ); ?></strong></p>
    210210                                <?php endif; ?>
    211211                                <?php if ( $wp_http_referer && false === strpos( $wp_http_referer, 'user-new.php' ) && ! IS_PROFILE_PAGE ) : ?>
    212                                         <p><a href="<?php echo esc_url( wp_validate_redirect( esc_url_raw( $wp_http_referer ), self_admin_url( 'users.php' ) ) ); ?>"><?php _e( '&larr; Go to Users' ); ?></a></p>
     212                                        <p><a href="<?php echo esc_url( wp_validate_redirect( sanitize_url( $wp_http_referer ), self_admin_url( 'users.php' ) ) ); ?>"><?php _e( '&larr; Go to Users' ); ?></a></p>
    213213                                <?php endif; ?>
    214214                        </div>
    215215                <?php endif; ?>
  • src/wp-includes/class-wp-customize-manager.php

    diff --git a/src/wp-includes/class-wp-customize-manager.php b/src/wp-includes/class-wp-customize-manager.php
    index 03732ca08a..7809608e69 100644
    a b final class WP_Customize_Manager { 
    21112111                $exported_setting_validities = array_map( array( $this, 'prepare_setting_validity_for_js' ), $setting_validities );
    21122112
    21132113                // Note that the REQUEST_URI is not passed into home_url() since this breaks subdirectory installations.
    2114                 $self_url           = empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) );
     2114                $self_url           = empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : sanitize_url( wp_unslash( $_SERVER['REQUEST_URI'] ) );
    21152115                $state_query_params = array(
    21162116                        'customize_theme',
    21172117                        'customize_changeset_uuid',
    final class WP_Customize_Manager { 
    21582158                        ),
    21592159                        'url'               => array(
    21602160                                'self'          => $self_url,
    2161                                 'allowed'       => array_map( 'esc_url_raw', $this->get_allowed_urls() ),
     2161                                'allowed'       => array_map( 'sanitize_url', $this->get_allowed_urls() ),
    21622162                                'allowedHosts'  => array_unique( $allowed_hosts ),
    21632163                                'isCrossDomain' => $this->is_cross_domain(),
    21642164                        ),
    final class WP_Customize_Manager { 
    45744574         * @param string $preview_url URL to be previewed.
    45754575         */
    45764576        public function set_preview_url( $preview_url ) {
    4577                 $preview_url       = esc_url_raw( $preview_url );
     4577                $preview_url       = sanitize_url( $preview_url );
    45784578                $this->preview_url = wp_validate_redirect( $preview_url, home_url( '/' ) );
    45794579        }
    45804580
    final class WP_Customize_Manager { 
    46624662         * @param string $return_url URL for return link.
    46634663         */
    46644664        public function set_return_url( $return_url ) {
    4665                 $return_url       = esc_url_raw( $return_url );
     4665                $return_url       = sanitize_url( $return_url );
    46664666                $return_url       = remove_query_arg( wp_removable_query_args(), $return_url );
    46674667                $return_url       = wp_validate_redirect( $return_url );
    46684668                $this->return_url = $return_url;
    final class WP_Customize_Manager { 
    48944894                                '_canInstall' => current_user_can( 'install_themes' ),
    48954895                        ),
    48964896                        'url'                    => array(
    4897                                 'preview'       => esc_url_raw( $this->get_preview_url() ),
    4898                                 'return'        => esc_url_raw( $this->get_return_url() ),
    4899                                 'parent'        => esc_url_raw( admin_url() ),
    4900                                 'activated'     => esc_url_raw( home_url( '/' ) ),
    4901                                 'ajax'          => esc_url_raw( admin_url( 'admin-ajax.php', 'relative' ) ),
    4902                                 'allowed'       => array_map( 'esc_url_raw', $this->get_allowed_urls() ),
     4897                                'preview'       => sanitize_url( $this->get_preview_url() ),
     4898                                'return'        => sanitize_url( $this->get_return_url() ),
     4899                                'parent'        => sanitize_url( admin_url() ),
     4900                                'activated'     => sanitize_url( home_url( '/' ) ),
     4901                                'ajax'          => sanitize_url( admin_url( 'admin-ajax.php', 'relative' ) ),
     4902                                'allowed'       => array_map( 'sanitize_url', $this->get_allowed_urls() ),
    49034903                                'isCrossDomain' => $this->is_cross_domain(),
    4904                                 'home'          => esc_url_raw( home_url( '/' ) ),
    4905                                 'login'         => esc_url_raw( $login_url ),
     4904                                'home'          => sanitize_url( home_url( '/' ) ),
     4905                                'login'         => sanitize_url( $login_url ),
    49064906                        ),
    49074907                        'browser'                => array(
    49084908                                'mobile' => wp_is_mobile(),
    final class WP_Customize_Manager { 
    60066006                                return new WP_Error( 'invalid_value', __( 'Invalid value for background size.' ) );
    60076007                        }
    60086008                } elseif ( 'background_image' === $setting->id || 'background_image_thumb' === $setting->id ) {
    6009                         $value = empty( $value ) ? '' : esc_url_raw( $value );
     6009                        $value = empty( $value ) ? '' : sanitize_url( $value );
    60106010                } else {
    60116011                        return new WP_Error( 'unrecognized_setting', __( 'Unrecognized background setting.' ) );
    60126012                }
    final class WP_Customize_Manager { 
    60796079         * @return mixed
    60806080         */
    60816081        public function _validate_external_header_video( $validity, $value ) {
    6082                 $video = esc_url_raw( $value );
     6082                $video = sanitize_url( $value );
    60836083                if ( $video ) {
    60846084                        if ( ! preg_match( '#^https?://(?:www\.)?(?:youtube\.com/watch|youtu\.be/)#', $video ) ) {
    60856085                                $validity->add( 'invalid_url', __( 'Please enter a valid YouTube URL.' ) );
    final class WP_Customize_Manager { 
    60976097         * @return string Sanitized URL.
    60986098         */
    60996099        public function _sanitize_external_header_video( $value ) {
    6100                 return esc_url_raw( trim( $value ) );
     6100                return sanitize_url( trim( $value ) );
    61016101        }
    61026102
    61036103        /**
  • src/wp-includes/class-wp-theme.php

    diff --git a/src/wp-includes/class-wp-theme.php b/src/wp-includes/class-wp-theme.php
    index c2398fb4eb..2e313c4c3b 100644
    a b final class WP_Theme implements ArrayAccess { 
    888888                                break;
    889889                        case 'ThemeURI':
    890890                        case 'AuthorURI':
    891                                 $value = esc_url_raw( $value );
     891                                $value = sanitize_url( $value );
    892892                                break;
    893893                        case 'Tags':
    894894                                $value = array_filter( array_map( 'trim', explode( ',', strip_tags( $value ) ) ) );
  • src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php

    diff --git a/src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php b/src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php
    index 8e35e32238..b0e3ae4a5e 100644
    a b class WP_Customize_Nav_Menu_Item_Setting extends WP_Customize_Setting { 
    726726                $menu_item_value['description'] = wp_unslash( apply_filters( 'content_save_pre', wp_slash( $menu_item_value['description'] ) ) );
    727727
    728728                if ( '' !== $menu_item_value['url'] ) {
    729                         $menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] );
     729                        $menu_item_value['url'] = sanitize_url( $menu_item_value['url'] );
    730730                        if ( '' === $menu_item_value['url'] ) {
    731731                                return new WP_Error( 'invalid_url', __( 'Invalid URL.' ) ); // Fail sanitization if URL is invalid.
    732732                        }
  • src/wp-includes/default-filters.php

    diff --git a/src/wp-includes/default-filters.php b/src/wp-includes/default-filters.php
    index 391796517c..25d98ede38 100644
    a b foreach ( array( 
    7272        'pre_post_guid',
    7373) as $filter ) {
    7474        add_filter( $filter, 'wp_strip_all_tags' );
    75         add_filter( $filter, 'esc_url_raw' );
     75        add_filter( $filter, 'sanitize_url' );
    7676        add_filter( $filter, 'wp_filter_kses' );
    7777}
    7878
  • src/wp-includes/deprecated.php

    diff --git a/src/wp-includes/deprecated.php b/src/wp-includes/deprecated.php
    index ec4c4678f5..ff6ce82497 100644
    a b function get_link( $bookmark_id, $output = OBJECT, $filter = 'raw' ) { 
    20412041 */
    20422042function clean_url( $url, $protocols = null, $context = 'display' ) {
    20432043        if ( $context == 'db' )
    2044                 _deprecated_function( 'clean_url( $context = \'db\' )', '3.0.0', 'esc_url_raw()' );
     2044                _deprecated_function( 'clean_url( $context = \'db\' )', '3.0.0', 'sanitize_url()' );
    20452045        else
    20462046                _deprecated_function( __FUNCTION__, '3.0.0', 'esc_url()' );
    20472047        return esc_url( $url, $protocols, $context );
  • src/wp-includes/embed.php

    diff --git a/src/wp-includes/embed.php b/src/wp-includes/embed.php
    index bc0806e1e2..f894578ad8 100644
    a b function get_post_embed_url( $post = null ) { 
    426426         * @param string  $embed_url The post embed URL.
    427427         * @param WP_Post $post      The corresponding post object.
    428428         */
    429         return esc_url_raw( apply_filters( 'post_embed_url', $embed_url, $post ) );
     429        return sanitize_url( apply_filters( 'post_embed_url', $embed_url, $post ) );
    430430}
    431431
    432432/**
  • src/wp-includes/general-template.php

    diff --git a/src/wp-includes/general-template.php b/src/wp-includes/general-template.php
    index d2ad7373f2..6ab4f4dd39 100644
    a b function get_the_generator( $type = '' ) { 
    47594759                        $gen = '<generator uri="https://wordpress.org/" version="' . esc_attr( get_bloginfo_rss( 'version' ) ) . '">WordPress</generator>';
    47604760                        break;
    47614761                case 'rss2':
    4762                         $gen = '<generator>' . esc_url_raw( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '</generator>';
     4762                        $gen = '<generator>' . sanitize_url( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '</generator>';
    47634763                        break;
    47644764                case 'rdf':
    4765                         $gen = '<admin:generatorAgent rdf:resource="' . esc_url_raw( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '" />';
     4765                        $gen = '<admin:generatorAgent rdf:resource="' . sanitize_url( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '" />';
    47664766                        break;
    47674767                case 'comment':
    47684768                        $gen = '<!-- generator="WordPress/' . esc_attr( get_bloginfo( 'version' ) ) . '" -->';
  • src/wp-includes/link-template.php

    diff --git a/src/wp-includes/link-template.php b/src/wp-includes/link-template.php
    index dbebd3bded..fc1a89fd29 100644
    a b function adjacent_post_link( $format, $link, $in_same_term = false, $excluded_te 
    23432343 *
    23442344 * @param int  $pagenum Optional. Page number. Default 1.
    23452345 * @param bool $escape  Optional. Whether to escape the URL for display, with esc_url(). Defaults to true.
    2346  *                      Otherwise, prepares the URL with esc_url_raw().
     2346 *                      Otherwise, prepares the URL with sanitize_url().
    23472347 * @return string The link URL for the given page number.
    23482348 */
    23492349function get_pagenum_link( $pagenum = 1, $escape = true ) {
    function get_pagenum_link( $pagenum = 1, $escape = true ) { 
    24102410        if ( $escape ) {
    24112411                return esc_url( $result );
    24122412        } else {
    2413                 return esc_url_raw( $result );
     2413                return sanitize_url( $result );
    24142414        }
    24152415}
    24162416
  • src/wp-includes/ms-deprecated.php

    diff --git a/src/wp-includes/ms-deprecated.php b/src/wp-includes/ms-deprecated.php
    index c06f35ddc5..9085545bdd 100644
    a b function get_blogaddress_by_domain( $domain, $path ) { 
    378378                        $url = 'http://' . $domain . $path;
    379379                }
    380380        }
    381         return esc_url_raw( $url );
     381        return sanitize_url( $url );
    382382}
    383383
    384384/**
  • src/wp-includes/nav-menu.php

    diff --git a/src/wp-includes/nav-menu.php b/src/wp-includes/nav-menu.php
    index 24a7fc66ef..63969287d7 100644
    a b function wp_update_nav_menu_item( $menu_id = 0, $menu_item_db_id = 0, $menu_item 
    573573        $args['menu-item-xfn']     = implode( ' ', array_map( 'sanitize_html_class', explode( ' ', $args['menu-item-xfn'] ) ) );
    574574        update_post_meta( $menu_item_db_id, '_menu_item_classes', $args['menu-item-classes'] );
    575575        update_post_meta( $menu_item_db_id, '_menu_item_xfn', $args['menu-item-xfn'] );
    576         update_post_meta( $menu_item_db_id, '_menu_item_url', esc_url_raw( $args['menu-item-url'] ) );
     576        update_post_meta( $menu_item_db_id, '_menu_item_url', sanitize_url( $args['menu-item-url'] ) );
    577577
    578578        if ( 0 == $menu_id ) {
    579579                update_post_meta( $menu_item_db_id, '_menu_item_orphaned', (string) time() );
  • src/wp-includes/rest-api.php

    diff --git a/src/wp-includes/rest-api.php b/src/wp-includes/rest-api.php
    index f05142baac..81156911c3 100644
    a b function rest_send_cors_headers( $value ) { 
    710710        if ( $origin ) {
    711711                // Requests from file:// and data: URLs send "Origin: null".
    712712                if ( 'null' !== $origin ) {
    713                         $origin = esc_url_raw( $origin );
     713                        $origin = sanitize_url( $origin );
    714714                }
    715715                header( 'Access-Control-Allow-Origin: ' . $origin );
    716716                header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
    function rest_output_link_header() { 
    993993                return;
    994994        }
    995995
    996         header( sprintf( 'Link: <%s>; rel="https://api.w.org/"', esc_url_raw( $api_root ) ), false );
     996        header( sprintf( 'Link: <%s>; rel="https://api.w.org/"', sanitize_url( $api_root ) ), false );
    997997
    998998        $resource = rest_get_queried_resource_route();
    999999
    10001000        if ( $resource ) {
    1001                 header( sprintf( 'Link: <%s>; rel="alternate"; type="application/json"', esc_url_raw( rest_url( $resource ) ) ), false );
     1001                header( sprintf( 'Link: <%s>; rel="alternate"; type="application/json"', sanitize_url( rest_url( $resource ) ) ), false );
    10021002        }
    10031003}
    10041004
    function rest_sanitize_value_from_schema( $value, $args, $param = '' ) { 
    27952795                                return sanitize_text_field( $value );
    27962796
    27972797                        case 'uri':
    2798                                 return esc_url_raw( $value );
     2798                                return sanitize_url( $value );
    27992799
    28002800                        case 'ip':
    28012801                                return sanitize_text_field( $value );
  • src/wp-includes/rest-api/class-wp-rest-server.php

    diff --git a/src/wp-includes/rest-api/class-wp-rest-server.php b/src/wp-includes/rest-api/class-wp-rest-server.php
    index c38914c7bf..19b362a4ca 100644
    a b class WP_REST_Server { 
    284284
    285285                $api_root = get_rest_url();
    286286                if ( ! empty( $api_root ) ) {
    287                         $this->send_header( 'Link', '<' . esc_url_raw( $api_root ) . '>; rel="https://api.w.org/"' );
     287                        $this->send_header( 'Link', '<' . sanitize_url( $api_root ) . '>; rel="https://api.w.org/"' );
    288288                }
    289289
    290290                /*
  • src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php

    diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php
    index f25be71bef..825833505d 100644
    a b class WP_REST_Menu_Items_Controller extends WP_REST_Posts_Controller { 
    860860                                                return true;
    861861                                        }
    862862
    863                                         if ( esc_url_raw( $url ) ) {
     863                                        if ( sanitize_url( $url ) ) {
    864864                                                return true;
    865865                                        }
    866866
  • src/wp-includes/rest-api/endpoints/class-wp-rest-url-details-controller.php

    diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-url-details-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-url-details-controller.php
    index b7d58faefa..c9ac6675d0 100644
    a b class WP_REST_URL_Details_Controller extends WP_REST_Controller { 
    4545                                                        'required'          => true,
    4646                                                        'description'       => __( 'The URL to process.' ),
    4747                                                        'validate_callback' => 'wp_http_validate_url',
    48                                                         'sanitize_callback' => 'esc_url_raw',
     48                                                        'sanitize_callback' => 'sanitize_url',
    4949                                                        'type'              => 'string',
    5050                                                        'format'            => 'uri',
    5151                                                ),
  • src/wp-includes/script-loader.php

    diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php
    index ae68e688f8..61e8a1d210 100644
    a b function wp_default_packages_inline_scripts( $scripts ) { 
    337337                'wp-api-fetch',
    338338                sprintf(
    339339                        'wp.apiFetch.use( wp.apiFetch.createRootURLMiddleware( "%s" ) );',
    340                         esc_url_raw( get_rest_url() )
     340                        sanitize_url( get_rest_url() )
    341341                ),
    342342                'after'
    343343        );
    function wp_default_scripts( $scripts ) { 
    750750                'wp-api-request',
    751751                'wpApiSettings',
    752752                array(
    753                         'root'          => esc_url_raw( get_rest_url() ),
     753                        'root'          => sanitize_url( get_rest_url() ),
    754754                        'nonce'         => wp_installing() ? '' : wp_create_nonce( 'wp_rest' ),
    755755                        'versionString' => 'wp/v2/',
    756756                )
  • src/wp-includes/theme.php

    diff --git a/src/wp-includes/theme.php b/src/wp-includes/theme.php
    index 55e2d13789..2e7e1dbbb8 100644
    a b function get_header_image() { 
    11791179                $url = get_random_header_image();
    11801180        }
    11811181
    1182         return esc_url_raw( set_url_scheme( $url ) );
     1182        return sanitize_url( set_url_scheme( $url ) );
    11831183}
    11841184
    11851185/**
    function get_uploaded_header_images() { 
    14281428        }
    14291429
    14301430        foreach ( (array) $headers as $header ) {
    1431                 $url          = esc_url_raw( wp_get_attachment_url( $header->ID ) );
     1431                $url          = sanitize_url( wp_get_attachment_url( $header->ID ) );
    14321432                $header_data  = wp_get_attachment_metadata( $header->ID );
    14331433                $header_index = $header->ID;
    14341434
    function get_header_video_url() { 
    15891589                return false;
    15901590        }
    15911591
    1592         return esc_url_raw( set_url_scheme( $url ) );
     1592        return sanitize_url( set_url_scheme( $url ) );
    15931593}
    15941594
    15951595/**
    function _custom_background_cb() { 
    18061806        $style = $color ? "background-color: #$color;" : '';
    18071807
    18081808        if ( $background ) {
    1809                 $image = ' background-image: url("' . esc_url_raw( $background ) . '");';
     1809                $image = ' background-image: url("' . sanitize_url( $background ) . '");';
    18101810
    18111811                // Background Position.
    18121812                $position_x = get_theme_mod( 'background_position_x', get_theme_support( 'custom-background', 'default-position-x' ) );
    function get_editor_stylesheets() { 
    21462146                // Support externally referenced styles (like, say, fonts).
    21472147                foreach ( $editor_styles as $key => $file ) {
    21482148                        if ( preg_match( '~^(https?:)?//~', $file ) ) {
    2149                                 $stylesheets[] = esc_url_raw( $file );
     2149                                $stylesheets[] = sanitize_url( $file );
    21502150                                unset( $editor_styles[ $key ] );
    21512151                        }
    21522152                }
  • src/wp-includes/update.php

    diff --git a/src/wp-includes/update.php b/src/wp-includes/update.php
    index 1c9a7cbeb6..04c8aa3ec2 100644
    a b function wp_update_plugins( $extra_stats = array() ) { 
    430430                        continue;
    431431                }
    432432
    433                 $hostname = wp_parse_url( esc_url_raw( $plugin_data['UpdateURI'] ), PHP_URL_HOST );
     433                $hostname = wp_parse_url( sanitize_url( $plugin_data['UpdateURI'] ), PHP_URL_HOST );
    434434
    435435                /**
    436436                 * Filters the update response for a given plugin hostname.
  • src/wp-includes/user.php

    diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
    index 0511a8a890..b36619ac9a 100644
    a b All at ###SITENAME### 
    41584158        $content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
    41594159        $content = str_replace( '###USER_EMAIL###', $email_data['user_email'], $content );
    41604160        $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content );
    4161         $content = str_replace( '###MANAGE_URL###', esc_url_raw( $email_data['manage_url'] ), $content );
    4162         $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
     4161        $content = str_replace( '###MANAGE_URL###', sanitize_url( $email_data['manage_url'] ), $content );
     4162        $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content );
    41634163
    41644164        $headers = '';
    41654165
    All at ###SITENAME### 
    43994399
    44004400        $content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
    44014401        $content = str_replace( '###PRIVACY_POLICY_URL###', $email_data['privacy_policy_url'], $content );
    4402         $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
     4402        $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content );
    44034403
    44044404        $headers = '';
    44054405
    All at ###SITENAME### 
    47204720        $content = apply_filters( 'user_request_action_email_content', $content, $email_data );
    47214721
    47224722        $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content );
    4723         $content = str_replace( '###CONFIRM_URL###', esc_url_raw( $email_data['confirm_url'] ), $content );
     4723        $content = str_replace( '###CONFIRM_URL###', sanitize_url( $email_data['confirm_url'] ), $content );
    47244724        $content = str_replace( '###EMAIL###', $email_data['email'], $content );
    47254725        $content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
    4726         $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
     4726        $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content );
    47274727
    47284728        $headers = '';
    47294729
  • src/wp-includes/widgets.php

    diff --git a/src/wp-includes/widgets.php b/src/wp-includes/widgets.php
    index 4aaa6112b2..639c59afa1 100644
    a b function wp_widget_rss_process( $widget_rss, $check_feed = true ) { 
    17671767        if ( $items < 1 || 20 < $items ) {
    17681768                $items = 10;
    17691769        }
    1770         $url          = esc_url_raw( strip_tags( $widget_rss['url'] ) );
     1770        $url          = sanitize_url( strip_tags( $widget_rss['url'] ) );
    17711771        $title        = isset( $widget_rss['title'] ) ? trim( strip_tags( $widget_rss['title'] ) ) : '';
    17721772        $show_summary = isset( $widget_rss['show_summary'] ) ? (int) $widget_rss['show_summary'] : 0;
    17731773        $show_author  = isset( $widget_rss['show_author'] ) ? (int) $widget_rss['show_author'] : 0;
  • src/wp-login.php

    diff --git a/src/wp-login.php b/src/wp-login.php
    index f744c684db..c805921727 100644
    a b function login_footer( $input_id = '' ) { 
    360360                                        <?php } ?>
    361361
    362362                                        <?php if ( isset( $_GET['redirect_to'] ) && '' !== $_GET['redirect_to'] ) { ?>
    363                                                 <input type="hidden" name="redirect_to" value="<?php echo esc_url_raw( $_GET['redirect_to'] ); ?>" />
     363                                                <input type="hidden" name="redirect_to" value="<?php echo sanitize_url( $_GET['redirect_to'] ); ?>" />
    364364                                        <?php } ?>
    365365
    366366                                        <?php if ( isset( $_GET['action'] ) && '' !== $_GET['action'] ) { ?>