WordPress.org

Make WordPress Core

Opened 10 years ago

Closed 9 years ago

Last modified 9 years ago

#17562 closed enhancement (fixed)

esc_url() printed by the_permalink()

Reported by: mfields Owned by: nacin
Milestone: 3.6 Priority: normal
Severity: normal Version: 3.2
Component: Template Keywords: has-patch 3.4-early
Focuses: Cc:

Description

Using Mark Jaquith's rule of escaping output as late as possible, I believe that it would be correct to use esc_url() on the output of the_permalink. It may be helpful in correcting mistakes in plugins that use the "the_permalink" filter as well.

Attachments (1)

17562.the-permalink-escape-output.diff (471 bytes) - added by mfields 10 years ago.
Filter output of the_permalink() through esc_url() before printing.

Download all attachments as: .zip

Change History (10)

@mfields
10 years ago

Filter output of the_permalink() through esc_url() before printing.

#1 @mfields
10 years ago

  • Cc michael@… added

#2 @scribu
10 years ago

I can imagine this resulting in double-encoding in some cases.

#3 @mfields
10 years ago

I would be interested to learn more about these cases. I use this function pretty liberally in my projects and would love to know in which situations it would double encode.

#4 @alexkingorg
10 years ago

This seems like the right thing to do to me as well. the_permalink() is a template function, so having output be escaped properly by default seems correct to me.

I don't believe it should lead to double-encoding issues.

#5 @markjaquith
10 years ago

esc_url() doesn't encode HTML entities beyond escaping level 1.

  • & - level 0
  • & - level 1
  • & - level 2

#6 @nacin
10 years ago

  • Keywords 3.4-early added; dev-feedback removed
  • Milestone changed from Awaiting Review to Future Release

In themes I've recently worked on, I've been adding add_filter( 'the_permalink', 'esc_url' );. This is a pretty obvious change. Let's add this in 3.4-early.

Ultimately, it will cause some issues, but it will be rare: A) htmlspecialchars() is used, rather than esc_url() or nothing, and B) the URL actually has something to be encoded, which is not particularly common at least regarding ampersands.

#7 @wonderboymusic
9 years ago

  • Milestone changed from Future Release to 3.6

#8 @nacin
9 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 23527:

Automatically esc_url() the URL echoed by the_permalink().

This makes the_permalink() useful, rather than needing to do echo esc_url( get_permalink() ) to get proper encoding of ampersands, etc. This will not double-encode when esc_url() has already been applied to the filter here, but that code can now be removed.

props mfields.
fixes #17562.

#9 @nacin
9 years ago

In 23528:

esc_url() when printing a URL into an attribute, even when it is known to be safe. (see #17562)

Note: See TracTickets for help on using tickets.