WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#34352 closed defect (bug) (fixed)

Differences in encoding between wp_login_url and wp_logout_url

Reported by: akibjorklund Owned by: DrewAPicture
Milestone: 4.6 Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords: has-patch
Focuses: docs Cc:

Description

wp_login_url() does return a HTML encoded URL, because it uses wp_nonce_url(), which calls esc_html().

wp_logout_url() on the other hand does return a unencoded URL. You can see that more clearly, if you add a second parameter true to the function call, which leads to a second URL parameter being added and in practice to a use of unencoded ampersand. This is a less common use of the function, so the problem is not seen that often.

Those two functions are often used together, so the inconsistency between them can easily result in using them wrong.

Since it is not feasible to change wp_logout_url() to return encoded URLs, the difference should the very least be clearly documented in the doc block of both functions.

Attachments (1)

34352.diff (1.9 KB) - added by akibjorklund 5 years ago.

Download all attachments as: .zip

Change History (6)

#1 @johnbillion
5 years ago

  • Keywords needs-docs needs-patch added

Related: #20771

@akibjorklund
5 years ago

#2 @akibjorklund
5 years ago

  • Keywords has-patch added; needs-docs needs-patch removed

#3 @obenland
5 years ago

  • Version trunk deleted

#4 @DrewAPicture
4 years ago

  • Milestone changed from Awaiting Review to 4.6
  • Owner set to DrewAPicture
  • Status changed from new to reviewing

Hi @akibjorklund, thanks for the patch! I'll take a look and let you know if we need anything else here to move this forward :-)

#5 @DrewAPicture
4 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 37753:

Docs: Clarify documentation for wp_logout_url() and wp_login_url() and corresponding hooks to highlight whether HTML-encoded or un-encoded values should be expected.

The return from wp_logout_url() is HTML-encoded due to its value passing through wp_nonce_url() and thus esc_html(). Adversely wp_login_url() passes through no such escaping and therefore should not be expected to return an HTML-encoded value.

Props akibjorklund for the initial patch.
Fixes #34352.

Note: See TracTickets for help on using tickets.