Make WordPress Core

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#25057 closed defect (bug) (fixed)

MS function get_blogaddress_by_domain returns output escaped by esc_url() - should be esc_url_raw()

Reported by: tlovett1's profile tlovett1 Owned by: nacin's profile nacin
Milestone: 3.7 Priority: normal
Severity: normal Version:
Component: Multisite Keywords: has-patch
Focuses: Cc:

Description

Title is pretty self-explanatory. get_blogaddress_by_domain() runs esc_url() on it's output. get_blogaddress_by_domain() is only called once in core:

In site-info.php:

$blog_address = get_blogaddress_by_domain( $_POST['blog']['domain'], $_POST['blog']['path'] );
  if ( get_option( 'siteurl' ) != $blog_address )
    update_option( 'siteurl', $blog_address );

Since get_blogaddress_by_domain() is saved straight to the options table, it should be using the correct sanitization function, esc_url_raw().

Attachments (1)

25057.diff (323 bytes) - added by tlovett1 11 years ago.
Use esc_url_raw instead of esc_url

Download all attachments as: .zip

Change History (5)

@tlovett1
11 years ago

Use esc_url_raw instead of esc_url

#1 @SergeyBiryukov
11 years ago

get_blogaddress_by_domain() should probably be deprecated once #18242 is resolved, see ticket:18242:14.

#2 @nacin
11 years ago

Even with #18242, I'm going to commit 25057.diff, because it's definitely correct.

#3 @nacin
11 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 25033:

Return esc_url_raw(), not esc_url(), from get_blogaddress_by_domain(). props tlovett1, fixes #25057. #wcpvd

#4 @SergeyBiryukov
11 years ago

  • Milestone changed from Awaiting Review to 3.7
Note: See TracTickets for help on using tickets.