Opened 9 years ago
Last modified 6 years ago
#34407 new defect (bug)
esc_url() cannot handle a relative URL containing a : character (IPv6)
Reported by: | dd32 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Formatting | Keywords: | |
Focuses: | Cc: |
Description
Split off from #34202 / #34054
When using a relative URL with esc_url()
nothing will be returned if the string contains a :
character, for example, one which occurs within an IPv6 address.
This will output nothing:
<?php echo esc_url( 'edit-comments.php?s=2001:0db8:0000:0000:0000:ff00:0042:8329' );
The cause boils down to wp_kses_bad_protocol()
which through wp_kses_bad_protocol_once()
assumes anything before :
in a URL is a protocol.
Relative URL's such as /edit-comments.php?s=2001:0db8..
succeed as esc_url()
identifies them as relative, and never calls wp_kses_bad_protocol()
.
Change History (5)
This ticket was mentioned in Slack in #core by dd32. View the logs.
9 years ago
#5
@
8 years ago
Note thst this is also broken when trying to escape a URL that contains a port number:
error_log( esc_url( 'http://example.com:8080' ) );// Outputs http://example.com:8080
error_log( esc_url( 'example.com' ) );// Outputs http://example.com
error_log( esc_url( 'example.com:8080' ) );// Outputs an empty string
That means that URLs containing no protocol but a port number can not be sanitized. The only solution for now is to include the protocol.
#34054 was marked as a duplicate.