Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 11 years ago

#23187 closed defect (bug) (fixed)

esc_url() fails if the URL's scheme's case does not match the allowed protocol's case

Reported by: mdawaffe's profile mdawaffe Owned by: nacin's profile nacin
Milestone: 3.5.2 Priority: normal
Severity: normal Version:
Component: Formatting Keywords: has-patch commit
Focuses: Cc:

Description

Steps to reproduce:

$url = esc_url( 'HTTP://example.com' );
var_dump( $url );

Expected output:

string(18) "http://example.com"

Actual output:

string(0) ""

From http://tools.ietf.org/html/rfc3986:

Although schemes are case-insensitive, the canonical form is lowercase and documents that specify schemes must do so with lowercase letters. An implementation should accept uppercase letters as equivalent to lowercase in scheme names (e.g., allow "HTTP" as well as "http") for the sake of robustness but should only produce lowercase scheme names for consistency.

Patch and unit tests attached.

Attachments (2)

23187.diff (661 bytes) - added by mdawaffe 12 years ago.
23187-ut.diff (737 bytes) - added by mdawaffe 12 years ago.

Download all attachments as: .zip

Change History (12)

@mdawaffe
12 years ago

@mdawaffe
12 years ago

#1 @mdawaffe
12 years ago

  • Component changed from General to Validation
  • Keywords has-patch added

#2 follow-up: @alexvorn2
12 years ago

I think It should validate only for lower case http not HtTp

#3 @SergeyBiryukov
12 years ago

  • Component changed from Validation to Formatting

#4 @SergeyBiryukov
12 years ago

In 1184/tests:

esc_url() test for scheme case. props mdawaffe. see #23187.

#5 in reply to: ↑ 2 @rmccue
12 years ago

Replying to alexvorn2:

I think It should validate only for lower case http not HtTp

It's completely case-insensitive, so both of those are equivalent, but the canonical form should always be 'http'.

(From memory, there may be further code in SimplePie_IRI that can be ripped out for this, but that's fairly heavy.)

#6 @SergeyBiryukov
12 years ago

  • Milestone changed from Awaiting Review to 3.6

#7 @ryan
12 years ago

  • Keywords commit added

#8 @nacin
12 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 23303:

Treat URL schemes as case insensitive when sanitizing them in esc_url().

props mdawaffe.
fixes #23187.
tests: [1184/tests]

#9 @nacin
11 years ago

In 23348:

Treat URL schemes as case insensitive when sanitizing them in esc_url().

Merges [23303] to the 3.5 branch.

props mdawaffe.
fixes #23187.

#10 @nacin
11 years ago

  • Milestone changed from 3.6 to 3.5.2
Note: See TracTickets for help on using tickets.