Make WordPress Core

Opened 11 years ago

Closed 11 years ago

#23266 closed defect (bug) (fixed)

Replace esc_attr() with esc_url() for form action URLs

Reported by: sergeybiryukov's profile SergeyBiryukov Owned by: ryan's profile ryan
Milestone: 3.6 Priority: normal
Severity: normal Version:
Component: Formatting Keywords: has-patch
Focuses: Cc:


We use esc_attr() for form action URLs in some places. esc_url() should be used instead.

Attachments (1)

23266.patch (3.1 KB) - added by SergeyBiryukov 11 years ago.

Download all attachments as: .zip

Change History (6)

#2 @DrewAPicture
11 years ago

  • Cc DrewAPicture added

+1. Probably wouldn't hurt to rope in some of the others that don't use escaping at all such as in several Multisite files and all over the place really.

I could only find a few instances where esc_url() was used in conjunction with admin_url(), self_admin_url(), site_url() and the like. Not sure if it's even needed.

Here's an ack of the files/lines lacking escaping or misusing esc_attr() as already covered in @SergeyBiryukov's patch:

#5 @ryan
11 years ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In 23739:

Escape form action urls with esc_url() rather than esc_attr().

Props SergeyBiryukov
fixes #23266

Note: See TracTickets for help on using tickets.