WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#12300 closed enhancement (fixed)

Allow filtration of image src URLs in wp-admin/

Reported by: mdawaffe Owned by:
Milestone: 3.0 Priority: normal
Severity: normal Version: 3.0
Component: Administration Keywords: has-patch commit
Focuses: Cc:

Description

For caching purposes, large multisites will probably want to serve static content from a single (or finite set of) domain(s) rather than from each blog's domain.

Javascript and stylesheet URLs are already filterable, but most of the admin-side images are hardcoded.

Attached uses admin_url() or includes_url() on most admin-side images.

The patch intentionally leaves out image src URLs hardcoded in install, upgrade, and maintenance pages where admin_url could (I suppose) not yet be working or may be broken.

Attachments (2)

12300.diff (19.6 KB) - added by mdawaffe 5 years ago.
12300.1.diff (19.5 KB) - added by mdawaffe 5 years ago.

Download all attachments as: .zip

Change History (11)

@mdawaffe5 years ago

comment:1 @Viper007Bond5 years ago

  • Keywords has-patch added

comment:2 @nacin5 years ago

  • Keywords commit added

Diff isn't showing up on Trac, but it looks good to me.

comment:3 follow-up: @nacin5 years ago

I'd suggest s/clean_url/esc_url/, though.

comment:4 in reply to: ↑ 3 @mdawaffe5 years ago

Replying to nacin:

I'd suggest s/clean_url/esc_url/, though.

I looked to see which one was preferred. I got as far as noting that clean_url() was in formatting.php and assumed esc_url() was only there for parallelism. Can we deprecate clean_url() if it is, in fact, deprecated? (new ticket)

Patch using esc_url() attached.

@mdawaffe5 years ago

comment:5 @nacin5 years ago

It's kind of confusing, yeah. esc_url_raw() used to be sanitize_url() which was deprecated. clean_url() wasn't deprecated in favor of esc_url() because both esc_url_raw() and esc_url() use it.

We could merge clean_url() into esc_url(), giving the latter the additional $context property and have esc_url_raw() call esc_url() instead, that way we get rid of the alias.

Though it doesn't make much of a difference, the less validation and sanitization functions we have, the less confused plugin authors are, and the more secure the code they write will be.

I'll check this in later.

comment:7 @nacin5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

comment:8 @nacin5 years ago

Woah, post-commit fail, worse than usual. The wp-svn email listed the commit message, but the changeset on Trac shows neither the author nor the message.

It was:

(In [13256]) Use admin_url() for images in wp-admin, to allow for filtering. Props mdawaffe, see #12300

comment:9 @nacin5 years ago

An FYI, this broke an interesting hack employed in the P2 theme: http://wordpress.org/support/topic/380872

Note: See TracTickets for help on using tickets.