Context Navigation

← Previous Ticket
Next Ticket →

#25057 closed defect (bug) (fixed)

MS function get_blogaddress_by_domain returns output escaped by esc_url() - should be esc_url_raw()

Reported by:	tlovett1	Owned by:	nacin
Milestone:	3.7	Priority:	normal
Severity:	normal	Version:
Component:	Multisite	Keywords:	has-patch
Focuses:		Cc:

Description

Title is pretty self-explanatory. get_blogaddress_by_domain() runs esc_url() on it's output. get_blogaddress_by_domain() is only called once in core:

In site-info.php:

$blog_address = get_blogaddress_by_domain( $_POST['blog']['domain'], $_POST['blog']['path'] );
  if ( get_option( 'siteurl' ) != $blog_address )
    update_option( 'siteurl', $blog_address );

Since get_blogaddress_by_domain() is saved straight to the options table, it should be using the correct sanitization function, esc_url_raw().

Attachments (1)

25057.diff (323 bytes) - added by tlovett1 13 years ago.: Use esc_url_raw instead of esc_url

Download all attachments as: .zip

Change History (5)

@tlovett1
13 years ago

Attachment 25057.diff added

Use esc_url_raw instead of esc_url

#1 @SergeyBiryukov
13 years ago

get_blogaddress_by_domain() should probably be deprecated once #18242 is resolved, see ticket:18242:14.

#2 @nacin
13 years ago

Even with #18242, I'm going to commit 25057.diff , because it's definitely correct.

#3 @nacin
13 years ago

Owner set to nacin
Resolution set to fixed
Status changed from new to closed

In 25033:

Return esc_url_raw(), not esc_url(), from get_blogaddress_by_domain(). props tlovett1, fixes #25057. #wcpvd

#4 @SergeyBiryukov
13 years ago

Milestone changed from Awaiting Review to 3.7

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

Make WordPress Core