get_content_url() should not escape data
|Reported by:||tollmanz||Owned by:|
In get_content_url(), the URL is escaped with esc_url_raw(). In core, the function is used three times:
- It is used twice in post_formats_compat(). The returned value is escaped with esc_url() after both uses.
- It is used in get_the_post_format_url() as a last fallback to get a URL for a post. While the other URLs that are returned are escaped with esc_url_raw(), this is likely an incorrect use of esc_url_raw() as this function is probably not commonly used for saving the data to the database.
get_content_url() should not escape data and instead place the responsibility of escaping on the code that calls the function. This allows it to be escaped specifically for the context in which the function is used. Additionally, given that this is more of a "template tag", it should probably not be using esc_url_raw() in the first place.
I think it would be best to assume that get_content_url() returns the rawest data and functions calling it can clean it further.
Change History (5)
comment:2 SergeyBiryukov — 11 months ago
- Keywords has-patch added
- Milestone changed from Awaiting Review to 3.6