Make WordPress Core


Ignore:
Timestamp:
06/01/2022 06:12:25 PM (21 months ago)
Author:
SergeyBiryukov
Message:

General: Replace all esc_url_raw() calls in core with sanitize_url().

This aims to improve performance by calling sanitize_url() directly, instead of the esc_url_raw() wrapper. As of WordPress 6.1, sanitize_url() is the recommended function for sanitizing a URL for database or redirect usage.

Follow-up to [11383], [13096], [51597], [53452].

Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
Fixes #55852.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/formatting.php

    r53452 r53455  
    43554355 * @param string[] $protocols Optional. An array of acceptable protocols.
    43564356 *                            Defaults to return value of wp_allowed_protocols().
    4357  * @param string   $_context  Private. Use esc_url_raw() for database usage.
     4357 * @param string   $_context  Private. Use sanitize_url() for database usage.
    43584358 * @return string The cleaned URL after the {@see 'clean_url'} filter is applied.
    43594359 *                An empty string is returned if `$url` specifies a protocol other than
     
    48314831            $value = explode( "\n", $value );
    48324832            $value = array_filter( array_map( 'trim', $value ) );
    4833             $value = array_filter( array_map( 'esc_url_raw', $value ) );
     4833            $value = array_filter( array_map( 'sanitize_url', $value ) );
    48344834            $value = implode( "\n", $value );
    48354835            break;
     
    48454845            } else {
    48464846                if ( preg_match( '#http(s?)://(.+)#i', $value ) ) {
    4847                     $value = esc_url_raw( $value );
     4847                    $value = sanitize_url( $value );
    48484848                } else {
    48494849                    $error = __( 'The WordPress address you entered did not appear to be a valid URL. Please enter a valid URL.' );
     
    48584858            } else {
    48594859                if ( preg_match( '#http(s?)://(.+)#i', $value ) ) {
    4860                     $value = esc_url_raw( $value );
     4860                    $value = sanitize_url( $value );
    48614861                } else {
    48624862                    $error = __( 'The Site address you entered did not appear to be a valid URL. Please enter a valid URL.' );
     
    49304930                $error = $value->get_error_message();
    49314931            } else {
    4932                 $value = esc_url_raw( $value );
     4932                $value = sanitize_url( $value );
    49334933                $value = str_replace( 'http://', '', $value );
    49344934            }
     
    55815581        }
    55825582    }
    5583     $urls_to_ping = array_map( 'esc_url_raw', $urls_to_ping );
     5583    $urls_to_ping = array_map( 'sanitize_url', $urls_to_ping );
    55845584    $urls_to_ping = implode( "\n", $urls_to_ping );
    55855585    /**
     
    56505650
    56515651    if ( preg_match( '/<a\s[^>]*?href=([\'"])(.+?)\1/is', $content, $matches ) ) {
    5652         return esc_url_raw( $matches[2] );
     5652        return sanitize_url( $matches[2] );
    56535653    }
    56545654
Note: See TracChangeset for help on using the changeset viewer.