WordPress.org

Make WordPress Core

Changeset 51597


Ignore:
Timestamp:
08/10/2021 07:43:33 PM (4 months ago)
Author:
SergeyBiryukov
Message:

General: Restore (un-deprecate) the sanitize_url() function.

A general security rule is "Sanitize when you save, escape when you echo", and for the most part WordPress has well-named functions like sanitize_email() and others, with esc_url_raw() being a single exception that does not follow the naming.

This commit restores the previously deprecated sanitize_url() function as a valid alias of esc_url_raw().

This better aligns with the naming with other sanitize_*() functions:

  • sanitize_bookmark()
  • sanitize_bookmark_field()
  • sanitize_category()
  • sanitize_category_field()
  • sanitize_comment_cookies()
  • sanitize_email()
  • sanitize_file_name()
  • sanitize_hex_color()
  • sanitize_hex_color_no_hash()
  • sanitize_html_class()
  • sanitize_key()
  • sanitize_meta()
  • sanitize_mime_type()
  • sanitize_option()
  • sanitize_post()
  • sanitize_post_field()
  • sanitize_sql_orderby()
  • sanitize_term()
  • sanitize_term_field()
  • sanitize_text_field()
  • sanitize_textarea_field()
  • sanitize_title()
  • sanitize_title_for_query()
  • sanitize_title_with_dashes()
  • sanitize_trackback_urls()
  • sanitize_user()
  • sanitize_user_field()

Follow-up to [11383], [13096].

Props Ipstenu, aadilali.
Fixes #53876.

Location:
trunk/src/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/deprecated.php

    r51348 r51597  
    20252025
    20262026/**
    2027  * Performs esc_url() for database or redirect usage.
    2028  *
    2029  * @since 2.3.1
    2030  * @deprecated 2.8.0 Use esc_url_raw()
    2031  * @see esc_url_raw()
    2032  *
    2033  * @param string $url The URL to be cleaned.
    2034  * @param array $protocols An array of acceptable protocols.
    2035  * @return string The cleaned URL.
    2036  */
    2037 function sanitize_url( $url, $protocols = null ) {
    2038     _deprecated_function( __FUNCTION__, '2.8.0', 'esc_url_raw()' );
    2039     return esc_url_raw( $url, $protocols );
    2040 }
    2041 
    2042 /**
    20432027 * Checks and cleans a URL.
    20442028 *
  • trunk/src/wp-includes/formatting.php

    r51589 r51597  
    44054405
    44064406/**
    4407  * Performs esc_url() for database usage.
     4407 * Performs esc_url() for database or redirect usage.
    44084408 *
    44094409 * @since 2.8.0
     
    44184418function esc_url_raw( $url, $protocols = null ) {
    44194419    return esc_url( $url, $protocols, 'db' );
     4420}
     4421
     4422/**
     4423 * Performs esc_url() for database or redirect usage.
     4424 *
     4425 * This function is an alias for esc_url_raw().
     4426 *
     4427 * @since 2.3.1
     4428 * @since 2.8.0 Deprecated in favor of esc_url_raw().
     4429 * @since 5.9.0 Restored (un-deprecated).
     4430 *
     4431 * @see esc_url_raw()
     4432 *
     4433 * @param string   $url       The URL to be cleaned.
     4434 * @param string[] $protocols Optional. An array of acceptable protocols.
     4435 *                            Defaults to return value of wp_allowed_protocols().
     4436 * @return string The cleaned URL after esc_url() is run with the 'db' context.
     4437 */
     4438function sanitize_url( $url, $protocols = null ) {
     4439    return esc_url_raw( $url, $protocols );
    44204440}
    44214441
Note: See TracChangeset for help on using the changeset viewer.