WordPress.org

Make WordPress Core

Changeset 31737


Ignore:
Timestamp:
03/11/2015 11:22:21 PM (5 years ago)
Author:
azaozz
Message:

PressThis: update _limit_url(), use esc_url_raw(). Fixes checking of urlencoded strings.
See #31373.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-wp-press-this.php

    r31693 r31737  
    343343        }
    344344
    345         $url = $this->_limit_string( $url );
    346 
    347345        // HTTP 1.1 allows 8000 chars but the "de-facto" standard supported in all current browsers is 2048.
    348         if ( mb_strlen( $url ) > 2048 ) {
     346        if ( strlen( $url ) > 2048 ) {
    349347            return ''; // Return empty rather than a trunacted/invalid URL
    350348        }
    351349
    352         // Only allow http(s) or protocol relative URLs.
    353         if ( ! preg_match( '%^(https?:)?//%i', $url ) ) {
     350        // Does it look like an URL?
     351        if ( ! preg_match( '/^([!#$&-;=?-\[\]_a-z~]|%[0-9a-fA-F]{2})+$/', $url ) ) {
    354352            return '';
    355353        }
    356354
    357         if ( strpos( $url, '"' ) !== false || strpos( $url, ' ' ) !== false ) {
    358             return '';
    359         }
    360 
    361         return $url;
     355        return esc_url_raw( $url, array( 'http', 'https' ) );
    362356    }
    363357
Note: See TracChangeset for help on using the changeset viewer.