Make WordPress Core


Ignore:
Timestamp:
06/01/2022 06:12:25 PM (2 years ago)
Author:
SergeyBiryukov
Message:

General: Replace all esc_url_raw() calls in core with sanitize_url().

This aims to improve performance by calling sanitize_url() directly, instead of the esc_url_raw() wrapper. As of WordPress 6.1, sanitize_url() is the recommended function for sanitizing a URL for database or redirect usage.

Follow-up to [11383], [13096], [51597], [53452].

Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
Fixes #55852.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-customize-manager.php

    r53393 r53455  
    21122112
    21132113        // Note that the REQUEST_URI is not passed into home_url() since this breaks subdirectory installations.
    2114         $self_url           = empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) );
     2114        $self_url           = empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : sanitize_url( wp_unslash( $_SERVER['REQUEST_URI'] ) );
    21152115        $state_query_params = array(
    21162116            'customize_theme',
     
    21592159            'url'               => array(
    21602160                'self'          => $self_url,
    2161                 'allowed'       => array_map( 'esc_url_raw', $this->get_allowed_urls() ),
     2161                'allowed'       => array_map( 'sanitize_url', $this->get_allowed_urls() ),
    21622162                'allowedHosts'  => array_unique( $allowed_hosts ),
    21632163                'isCrossDomain' => $this->is_cross_domain(),
     
    45754575     */
    45764576    public function set_preview_url( $preview_url ) {
    4577         $preview_url       = esc_url_raw( $preview_url );
     4577        $preview_url       = sanitize_url( $preview_url );
    45784578        $this->preview_url = wp_validate_redirect( $preview_url, home_url( '/' ) );
    45794579    }
     
    46634663     */
    46644664    public function set_return_url( $return_url ) {
    4665         $return_url       = esc_url_raw( $return_url );
     4665        $return_url       = sanitize_url( $return_url );
    46664666        $return_url       = remove_query_arg( wp_removable_query_args(), $return_url );
    46674667        $return_url       = wp_validate_redirect( $return_url );
     
    48954895            ),
    48964896            'url'                    => array(
    4897                 'preview'       => esc_url_raw( $this->get_preview_url() ),
    4898                 'return'        => esc_url_raw( $this->get_return_url() ),
    4899                 'parent'        => esc_url_raw( admin_url() ),
    4900                 'activated'     => esc_url_raw( home_url( '/' ) ),
    4901                 'ajax'          => esc_url_raw( admin_url( 'admin-ajax.php', 'relative' ) ),
    4902                 'allowed'       => array_map( 'esc_url_raw', $this->get_allowed_urls() ),
     4897                'preview'       => sanitize_url( $this->get_preview_url() ),
     4898                'return'        => sanitize_url( $this->get_return_url() ),
     4899                'parent'        => sanitize_url( admin_url() ),
     4900                'activated'     => sanitize_url( home_url( '/' ) ),
     4901                'ajax'          => sanitize_url( admin_url( 'admin-ajax.php', 'relative' ) ),
     4902                'allowed'       => array_map( 'sanitize_url', $this->get_allowed_urls() ),
    49034903                'isCrossDomain' => $this->is_cross_domain(),
    4904                 'home'          => esc_url_raw( home_url( '/' ) ),
    4905                 'login'         => esc_url_raw( $login_url ),
     4904                'home'          => sanitize_url( home_url( '/' ) ),
     4905                'login'         => sanitize_url( $login_url ),
    49064906            ),
    49074907            'browser'                => array(
     
    60076007            }
    60086008        } elseif ( 'background_image' === $setting->id || 'background_image_thumb' === $setting->id ) {
    6009             $value = empty( $value ) ? '' : esc_url_raw( $value );
     6009            $value = empty( $value ) ? '' : sanitize_url( $value );
    60106010        } else {
    60116011            return new WP_Error( 'unrecognized_setting', __( 'Unrecognized background setting.' ) );
     
    60806080     */
    60816081    public function _validate_external_header_video( $validity, $value ) {
    6082         $video = esc_url_raw( $value );
     6082        $video = sanitize_url( $value );
    60836083        if ( $video ) {
    60846084            if ( ! preg_match( '#^https?://(?:www\.)?(?:youtube\.com/watch|youtu\.be/)#', $video ) ) {
     
    60986098     */
    60996099    public function _sanitize_external_header_video( $value ) {
    6100         return esc_url_raw( trim( $value ) );
     6100        return sanitize_url( trim( $value ) );
    61016101    }
    61026102
Note: See TracChangeset for help on using the changeset viewer.