Make WordPress Core


Ignore:
Timestamp:
05/31/2022 03:15:58 PM (2 years ago)
Author:
SergeyBiryukov
Message:

Formatting: Make sanitize_url() the recommended function for sanitizing a URL.

A general security rule is "Sanitize when you save, escape when you echo".

In WordPress 5.9, sanitize_url() was un-deprecated in order to better align with the naming of other sanitizing functions, while still being an alias for esc_url_raw().

This commit reverses the order and turns esc_url_raw() into a wrapper for sanitize_url(), making the latter the canonical function call and aiming to improve performance by reducing the number of function calls required when using the recommended technique.

Follow-up to [11383], [13096], [51597].

Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
See #55852.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/formatting.php

    r53204 r53452  
    44594459
    44604460/**
    4461  * Performs esc_url() for database or redirect usage.
     4461 * Sanitizes a URL for database or redirect usage.
     4462 *
     4463 * This function is an alias for sanitize_url().
    44624464 *
    44634465 * @since 2.8.0
     4466 * @since 6.1.0 Turned into an alias for sanitize_url().
     4467 *
     4468 * @see sanitize_url()
     4469 *
     4470 * @param string   $url       The URL to be cleaned.
     4471 * @param string[] $protocols Optional. An array of acceptable protocols.
     4472 *                            Defaults to return value of wp_allowed_protocols().
     4473 * @return string The cleaned URL after sanitize_url() is run.
     4474 */
     4475function esc_url_raw( $url, $protocols = null ) {
     4476    return sanitize_url( $url, $protocols );
     4477}
     4478
     4479/**
     4480 * Sanitizes a URL for database or redirect usage.
     4481 *
     4482 * @since 2.3.1
     4483 * @since 2.8.0 Deprecated in favor of esc_url_raw().
     4484 * @since 5.9.0 Restored (un-deprecated).
    44644485 *
    44654486 * @see esc_url()
     
    44704491 * @return string The cleaned URL after esc_url() is run with the 'db' context.
    44714492 */
    4472 function esc_url_raw( $url, $protocols = null ) {
     4493function sanitize_url( $url, $protocols = null ) {
    44734494    return esc_url( $url, $protocols, 'db' );
    4474 }
    4475 
    4476 /**
    4477  * Performs esc_url() for database or redirect usage.
    4478  *
    4479  * This function is an alias for esc_url_raw().
    4480  *
    4481  * @since 2.3.1
    4482  * @since 2.8.0 Deprecated in favor of esc_url_raw().
    4483  * @since 5.9.0 Restored (un-deprecated).
    4484  *
    4485  * @see esc_url_raw()
    4486  *
    4487  * @param string   $url       The URL to be cleaned.
    4488  * @param string[] $protocols Optional. An array of acceptable protocols.
    4489  *                            Defaults to return value of wp_allowed_protocols().
    4490  * @return string The cleaned URL after esc_url() is run with the 'db' context.
    4491  */
    4492 function sanitize_url( $url, $protocols = null ) {
    4493     return esc_url_raw( $url, $protocols );
    44944495}
    44954496
Note: See TracChangeset for help on using the changeset viewer.