WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#23266 closed defect (bug) (fixed)

Replace esc_attr() with esc_url() for form action URLs

Reported by: SergeyBiryukov Owned by: ryan
Milestone: 3.6 Priority: normal
Severity: normal Version:
Component: Formatting Keywords: has-patch
Focuses: Cc:

Description

We use esc_attr() for form action URLs in some places. esc_url() should be used instead.

Attachments (1)

23266.patch (3.1 KB) - added by SergeyBiryukov 7 years ago.

Download all attachments as: .zip

Change History (6)

#2 @DrewAPicture
7 years ago

  • Cc DrewAPicture added

+1. Probably wouldn't hurt to rope in some of the others that don't use escaping at all such as in several Multisite files and all over the place really.

I could only find a few instances where esc_url() was used in conjunction with admin_url(), self_admin_url(), site_url() and the like. Not sure if it's even needed.

Here's an ack of the files/lines lacking escaping or misusing esc_attr() as already covered in @SergeyBiryukov's patch: https://gist.github.com/4598774

#5 @ryan
7 years ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In 23739:

Escape form action urls with esc_url() rather than esc_attr().

Props SergeyBiryukov
fixes #23266

Note: See TracTickets for help on using tickets.