Changeset 59945

Timestamp:

03/06/2025 02:59:34 PM (8 weeks ago)

Author:

audrasjb

Message:

Customize: Properly escape URLs passed by url and return parameters.

This changeset replaces sanitize_text_field() with esc_url_raw() for URLs passed via url and return query vars. This fixes an issue where the URL example.com/หน้าภาษาไทย would incorrectly return example.com// due to improper sanitization when clicking on the Customize button through the admin bar.

Props okvee, yahaly, hellofromTonya, veryard, dilip2615, amin7, swissspidy, audrasjb.
Fixes #61317.

File:

• trunk/src/wp-admin/customize.php (modified) (1 diff)

trunk/src/wp-admin/customize.php

@@ -85 +85 @@
 }
 
-$url       = ! empty( $_REQUEST['url'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['url'] ) ) : '';
-$return    = ! empty( $_REQUEST['return'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['return'] ) ) : '';
+$url       = ! empty( $_REQUEST['url'] ) ? esc_url_raw( wp_unslash( $_REQUEST['url'] ) ) : '';
+$return    = ! empty( $_REQUEST['return'] ) ? esc_url_raw( wp_unslash( $_REQUEST['return'] ) ) : '';
 $autofocus = ! empty( $_REQUEST['autofocus'] ) && is_array( $_REQUEST['autofocus'] )
     ? array_map( 'sanitize_text_field', wp_unslash( $_REQUEST['autofocus'] ) )