WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 5 years ago

Last modified 5 years ago

#26803 closed defect (bug) (wontfix)

get_bloginfo() doesn't sanitize URLs, even when $filter is 'display'

Reported by: jdgrimes Owned by:
Milestone: Priority: normal
Severity: normal Version: 1.5.1.1
Component: Formatting Keywords: 2nd-opinion
Focuses: Cc:

Description

The get_bloginfo() function returns two main types of content: URLs, and everything else. The function has a $filter parameter, and when this is 'display' the returned info is automatically sanitized, by being passed through the 'bloginfo' filter (which by default applies wptexturize(), convert_chars(), and esc_html()). However, the URLs are treated separately (via #1410), and are passed through the 'bloginfo_url' filter instead (as noted by @dd32 here).

In short, the URLs returned by get_bloginfo() are unsanitized (and should be passed through esc_url()) even when the $filter is 'display', as when the info is being directly output by bloginfo().

Related:
#1410
#2643
#16408

Change History (3)

#1 @nacin
7 years ago

  • Component changed from General to Formatting
  • Keywords 2nd-opinion added

I'd be concerned with breaking something, as esc_url() is for preparing a URL for use in an attribute. The URL may not be used in that way. At most we'd do esc_url_raw() but these functions don't exactly return user input.

#2 @jdgrimes
5 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

Closing this since the potential for breakage probably outweighs any benefits.

#3 @DrewAPicture
5 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.