Opened 15 years ago
Closed 15 years ago
#10859 closed defect (bug) (fixed)
esc_url() does not escape and renders other functions buggy.
Reported by: | hakre | Owned by: | |
---|---|---|---|
Milestone: | 2.9 | Priority: | normal |
Severity: | major | Version: | 2.8.4 |
Component: | General | Keywords: | |
Focuses: | Cc: |
Description
As written in the summary: get_image_send_to_editor() uses (as many other functions) the function esc_url() to escape (at least that is what the name suggests) and URI. But the function name is misleading. Because of the (no-) implementation of any kind of escaping in esc_url() but using clean_url() instead which filters out various characters by undocumented principles this deletes complete valid URIs instead of encoding them.
Example URL: http://192.168.2.106/wordpress-trunk/wp-content/uploads/2009/09/Auto-na-dálkové-ovládání.jpg
is "escaped" into an empty string string '' (length=0)
when used in esc_url().
This is a Blog with an output encoding set to UTF-8.
Change History (5)
#3
@
15 years ago
#10252 now got commited, which leaves this ticket now open.
the function esc_url() should follow the standards of URL escaping for ??!!. I do not know, what is the intended output of the function? Plain text UTF-8 encoded? Or is it to be used inside a html attribute like the value of href or src?
What are the ground laying RFC standardarisations we can refer to here?
related: #10252