Opened 12 years ago
Closed 12 years ago
#24416 closed defect (bug) (wontfix)
get_content_url() should not escape data
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 3.6 |
| Component: | Post Formats | Keywords: | has-patch |
| Focuses: | Cc: |
Description
In get_content_url(), the URL is escaped with esc_url_raw(). In core, the function is used three times:
- It is used twice in
post_formats_compat(). The returned value is escaped withesc_url()after both uses. - It is used in
get_the_post_format_url()as a last fallback to get a URL for a post. While the other URLs that are returned are escaped withesc_url_raw(), this is likely an incorrect use ofesc_url_raw()as this function is probably not commonly used for saving the data to the database.
get_content_url() should not escape data and instead place the responsibility of escaping on the code that calls the function. This allows it to be escaped specifically for the context in which the function is used. Additionally, given that this is more of a "template tag", it should probably not be using esc_url_raw() in the first place.
I think it would be best to assume that get_content_url() returns the rawest data and functions calling it can clean it further.
Attachments (1)
Change History (5)
Note: See
TracTickets for help on using
tickets.
I added a patch that removes the data escaped for
get_content_url(). For consistency's sake, I escape the use of the function inget_the_post_format_url()(I'm going to submit another ticket that changes this however).