Non-URL GUIDs are stripped on post update

[alexkingorg]

The post guid is run through several filters before the post is saved. the esc_url_raw() call will end up setting a GUID to an empty string if the GUID does not begin with a known/accepted protocol.

If a plugin/etc. wants to use the GUID column to store an external ID for an item brought in from another system (say a Flickr photo ID), then updating a post that has the Flickr ID as its GUID through the WP admin will end up setting the GUID for that post to .

This would need to be changed if the move was made to UUIDs for GUID values as well. Related: #6492.

A very basic patch for this specific issue is attached, but a larger discussion around how this should work is likely needed. Related: #18315

[alexkingorg]

very basic patch

[nacin]

This is a security precaution. Unfortunately, $post->guid may be used as a URL, which means that it needs to be secure if so. (Otherwise it's possible to stuff this with a POST.) Deciding whether we can use esc_url_raw vs regular attribute escaping (or strip_tags) can be a challenge.

[prettyboymp]

Wouldn't it be better escaped on output rather than input?