WordPress.org

Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#23187 closed defect (bug) (fixed)

esc_url() fails if the URL's scheme's case does not match the allowed protocol's case

Reported by: mdawaffe Owned by: nacin
Milestone: 3.5.2 Priority: normal
Severity: normal Version:
Component: Formatting Keywords: has-patch commit
Focuses: Cc:

Description

Steps to reproduce:

$url = esc_url( 'HTTP://example.com' );
var_dump( $url );

Expected output:

string(18) "http://example.com"

Actual output:

string(0) ""

From http://tools.ietf.org/html/rfc3986:

Although schemes are case-insensitive, the canonical form is lowercase and documents that specify schemes must do so with lowercase letters. An implementation should accept uppercase letters as equivalent to lowercase in scheme names (e.g., allow "HTTP" as well as "http") for the sake of robustness but should only produce lowercase scheme names for consistency.

Patch and unit tests attached.

Attachments (2)

23187.diff (661 bytes) - added by mdawaffe 9 years ago.
23187-ut.diff (737 bytes) - added by mdawaffe 9 years ago.

Download all attachments as: .zip

Change History (12)

@mdawaffe
9 years ago

@mdawaffe
9 years ago

#1 @mdawaffe
9 years ago

  • Component changed from General to Validation
  • Keywords has-patch added

#2 follow-up: @alexvorn2
9 years ago

I think It should validate only for lower case http not HtTp

#3 @SergeyBiryukov
9 years ago

  • Component changed from Validation to Formatting

#4 @SergeyBiryukov
9 years ago

In 1184/tests:

esc_url() test for scheme case. props mdawaffe. see #23187.

#5 in reply to: ↑ 2 @rmccue
9 years ago

Replying to alexvorn2:

I think It should validate only for lower case http not HtTp

It's completely case-insensitive, so both of those are equivalent, but the canonical form should always be 'http'.

(From memory, there may be further code in SimplePie_IRI that can be ripped out for this, but that's fairly heavy.)

#6 @SergeyBiryukov
9 years ago

  • Milestone changed from Awaiting Review to 3.6

#7 @ryan
9 years ago

  • Keywords commit added

#8 @nacin
9 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 23303:

Treat URL schemes as case insensitive when sanitizing them in esc_url().

props mdawaffe.
fixes #23187.
tests: [1184/tests]

#9 @nacin
9 years ago

In 23348:

Treat URL schemes as case insensitive when sanitizing them in esc_url().

Merges [23303] to the 3.5 branch.

props mdawaffe.
fixes #23187.

#10 @nacin
9 years ago

  • Milestone changed from 3.6 to 3.5.2
Note: See TracTickets for help on using tickets.