#25057 closed defect (bug) (fixed)
MS function get_blogaddress_by_domain returns output escaped by esc_url() - should be esc_url_raw()
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 3.7 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Multisite | Keywords: | has-patch |
Focuses: | Cc: |
Description
Title is pretty self-explanatory. get_blogaddress_by_domain() runs esc_url() on it's output. get_blogaddress_by_domain() is only called once in core:
In site-info.php:
$blog_address = get_blogaddress_by_domain( $_POST['blog']['domain'], $_POST['blog']['path'] ); if ( get_option( 'siteurl' ) != $blog_address ) update_option( 'siteurl', $blog_address );
Since get_blogaddress_by_domain() is saved straight to the options table, it should be using the correct sanitization function, esc_url_raw().
Attachments (1)
Change History (5)
#1
@
11 years ago
get_blogaddress_by_domain()
should probably be deprecated once #18242 is resolved, see ticket:18242:14.
#2
@
11 years ago
Even with #18242, I'm going to commit 25057.diff, because it's definitely correct.
Note: See
TracTickets for help on using
tickets.
Use esc_url_raw instead of esc_url