admin_url() and site_url() shouldn't need esc_url()
|Reported by:||alexkingorg||Owned by:|
I noticed that the 3.0 codeline includes the addition of esc_url() around admin_url() like:
I believe that admin_url() and site_url() should be "safe" functions to use and should not need escaping. Perhaps they should call esc_url() internally?
I cannot think of a viable reason to allow unsafe results from admin_url() and site_url(), though perhaps there are some internationalization edge cases that I'm not aware of.
If you really need raw access to an unsafe value in wp_options, you can use get_option() to get to it.
Another issue to consider here is input validation and stripping before saving to these fields.
If this is approved in principle, I'd be happy to produce a diff against the current code base.
I think this is very important to address before 3.0 is released as it has a significant impact on theme and plugin developers.
Change History (30)
- Component changed from Administration to Formatting
- Priority changed from high to normal
- Severity changed from major to normal
- Type changed from defect (bug) to enhancement
comment:5 @alexkingorg — 5 years ago
- Component changed from Formatting to Security
- Owner set to ryan
- Type changed from enhancement to defect (bug)
comment:11 @scribu — 5 years ago
- Keywords needs-patch added; has-patch 2nd-opinion removed
- Severity changed from normal to critical
comment:12 @westi — 5 years ago
- Keywords needs-testing added; needs-patch removed
- Severity changed from critical to normal
comment:26 @nacin — 5 years ago
- Keywords 2nd-opinion added; early removed
- Milestone changed from Awaiting Triage to Future Release