#26803 closed defect (bug) (wontfix)
get_bloginfo() doesn't sanitize URLs, even when $filter is 'display'
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 1.5.1.1 |
| Component: | Formatting | Keywords: | 2nd-opinion |
| Focuses: | Cc: |
Description
The get_bloginfo() function returns two main types of content: URLs, and everything else. The function has a $filter parameter, and when this is 'display' the returned info is automatically sanitized, by being passed through the 'bloginfo' filter (which by default applies wptexturize(), convert_chars(), and esc_html()). However, the URLs are treated separately (via #1410), and are passed through the 'bloginfo_url' filter instead (as noted by @dd32 here).
In short, the URLs returned by get_bloginfo() are unsanitized (and should be passed through esc_url()) even when the $filter is 'display', as when the info is being directly output by bloginfo().
Change History (3)
Note: See
TracTickets for help on using
tickets.
I'd be concerned with breaking something, as esc_url() is for preparing a URL for use in an attribute. The URL may not be used in that way. At most we'd do esc_url_raw() but these functions don't exactly return user input.