WordPress.org

Make WordPress Core

#24416 closed defect (bug) (wontfix)

get_content_url() should not escape data

Reported by: tollmanz Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.6
Component: Post Formats Keywords: has-patch
Focuses: Cc:

Description

In get_content_url(), the URL is escaped with esc_url_raw(). In core, the function is used three times:

  • It is used twice in post_formats_compat(). The returned value is escaped with esc_url() after both uses.
  • It is used in get_the_post_format_url() as a last fallback to get a URL for a post. While the other URLs that are returned are escaped with esc_url_raw(), this is likely an incorrect use of esc_url_raw() as this function is probably not commonly used for saving the data to the database.

get_content_url() should not escape data and instead place the responsibility of escaping on the code that calls the function. This allows it to be escaped specifically for the context in which the function is used. Additionally, given that this is more of a "template tag", it should probably not be using esc_url_raw() in the first place.

I think it would be best to assume that get_content_url() returns the rawest data and functions calling it can clean it further.

Attachments (1)

24416.patch (1.0 KB) - added by tollmanz 11 months ago.

Download all attachments as: .zip

Change History (5)

tollmanz11 months ago

comment:1 tollmanz11 months ago

I added a patch that removes the data escaped for get_content_url(). For consistency's sake, I escape the use of the function in get_the_post_format_url() (I'm going to submit another ticket that changes this however).

comment:2 SergeyBiryukov11 months ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 3.6

comment:3 nacin11 months ago

Same as #24417.

comment:4 SergeyBiryukov11 months ago

  • Milestone 3.6 deleted
  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.