Make WordPress Core

Opened 15 years ago

Closed 15 years ago

#10859 closed defect (bug) (fixed)

esc_url() does not escape and renders other functions buggy.

Reported by: hakre's profile hakre Owned by:
Milestone: 2.9 Priority: normal
Severity: major Version: 2.8.4
Component: General Keywords:
Focuses: Cc:

Description

As written in the summary: get_image_send_to_editor() uses (as many other functions) the function esc_url() to escape (at least that is what the name suggests) and URI. But the function name is misleading. Because of the (no-) implementation of any kind of escaping in esc_url() but using clean_url() instead which filters out various characters by undocumented principles this deletes complete valid URIs instead of encoding them.

Example URL: http://192.168.2.106/wordpress-trunk/wp-content/uploads/2009/09/Auto-na-dálkové-ovládání.jpg is "escaped" into an empty string string '' (length=0) when used in esc_url().

This is a Blog with an output encoding set to UTF-8.

Change History (5)

#1 @hakre
15 years ago

related: #10252

#2 @scribu
15 years ago

  • Milestone changed from Unassigned to 2.9
  • Severity changed from normal to major

#3 @hakre
15 years ago

#10252 now got commited, which leaves this ticket now open.

the function esc_url() should follow the standards of URL escaping for ??!!. I do not know, what is the intended output of the function? Plain text UTF-8 encoded? Or is it to be used inside a html attribute like the value of href or src?

What are the ground laying RFC standardarisations we can refer to here?

#4 @ryan
15 years ago

This is caused by the xad strip. See #9823.

#5 @ryan
15 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [12199]) Allow 0xAD in URI attributes. Props nbachiyski. fixes #9823 #10859

Note: See TracTickets for help on using tickets.