#17562 closed enhancement (fixed)
esc_url() printed by the_permalink()
Reported by: | mfields | Owned by: | nacin |
---|---|---|---|
Milestone: | 3.6 | Priority: | normal |
Severity: | normal | Version: | 3.2 |
Component: | Template | Keywords: | has-patch 3.4-early |
Focuses: | Cc: |
Description
Using Mark Jaquith's rule of escaping output as late as possible, I believe that it would be correct to use esc_url() on the output of the_permalink. It may be helpful in correcting mistakes in plugins that use the "the_permalink" filter as well.
Attachments (1)
Change History (10)
#3
@
14 years ago
I would be interested to learn more about these cases. I use this function pretty liberally in my projects and would love to know in which situations it would double encode.
#4
@
13 years ago
This seems like the right thing to do to me as well. the_permalink() is a template function, so having output be escaped properly by default seems correct to me.
I don't believe it should lead to double-encoding issues.
#5
@
13 years ago
esc_url()
doesn't encode HTML entities beyond escaping level 1.
&
- level 0&
- level 1&
- level 2
#6
@
13 years ago
- Keywords 3.4-early added; dev-feedback removed
- Milestone changed from Awaiting Review to Future Release
In themes I've recently worked on, I've been adding add_filter( 'the_permalink', 'esc_url' );
. This is a pretty obvious change. Let's add this in 3.4-early.
Ultimately, it will cause some issues, but it will be rare: A) htmlspecialchars() is used, rather than esc_url() or nothing, and B) the URL actually has something to be encoded, which is not particularly common at least regarding ampersands.
Filter output of the_permalink() through esc_url() before printing.