Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#26569 closed defect (bug) (fixed)

URLs exported to JavaScript in Customizer settings get double-encoded

Reported by: westonruter Owned by: ocean90
Milestone: 3.9 Priority: normal
Severity: normal Version: 3.4
Component: Customize Keywords: has-patch
Focuses: Cc:


The Customizer currently fails to load URLs into the preview if they contains multiple query parameters.

For example, to preview in Customizer this URL: http://src.wordpress-develop.dev/?foo=bar&bar=baz

One would navigate to: http://src.wordpress-develop.dev/wp-admin/customize.php?url=http%3A%2F%2Fsrc.wordpress-develop.dev%2F%3Ffoo%3Dbar%26bar%3Dbaz

Upon loading up the customizer, however, you may inspect the wp.customize.settings.url.preview in the browser console and see that its value is: http://src.wordpress-develop.dev/?foo=bar&bar=baz

Notice how the & gets HTML-escaped. This is because customize.php is using esc_url for values being added to an array which is exported to JavaScript via json_encode. Instead of esc_url, the esc_url_raw function should be used instead.

Attachments (3)

customize.php.patch (1.1 KB) - added by westonruter 8 years ago.
Use esc_url_raw() instead of esc_url()
26569.diff (1.1 KB) - added by westonruter 8 years ago.
Also use esc_url_raw() for url.allowed. Props ocean90
26569.2.patch (1.9 KB) - added by ocean90 8 years ago.

Download all attachments as: .zip

Change History (8)

8 years ago

Use esc_url_raw() instead of esc_url()

#1 @westonruter
8 years ago

  • Keywords has-patch added

#2 @SergeyBiryukov
8 years ago

  • Milestone changed from Awaiting Review to 3.9

#3 @nacin
8 years ago

  • Owner set to ocean90
  • Status changed from new to assigned

Seems fine to me. Would want to double-check how this URL gets used in JS.

This ticket was mentioned in IRC in #wordpress-dev by ocean90. View the logs.

8 years ago

8 years ago

Also use esc_url_raw() for url.allowed. Props ocean90

8 years ago

#5 @ocean90
8 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 27574:

Customizer: Use esc_url_raw to escape customizer URL settings to prevent double encoding.

props westonruter, ocean90.
fixes #26569.

Note: See TracTickets for help on using tickets.