Opened 17 years ago
Closed 17 years ago
#4788 closed defect (bug) (fixed)
wp_loginout() / ampersand in URL
Reported by: | raptorNL | Owned by: | |
---|---|---|---|
Milestone: | Priority: | low | |
Severity: | minor | Version: | 2.2.2 |
Component: | General | Keywords: | has-patch |
Focuses: | Cc: |
Description
The wp_loginout() function does not escape ampersands with the proper entity in the Logout url, failing the code to pass W3C (X)HTML validation.
For instance, on my local test blog, it generates the following:
<a href="http://localhost/wp/wp-login.php?action=logout&redirect_to=%2Fhome%2F">Logout</a>
The ampersand between action=logout and redirect_to=%2Fhome%2F should be escaped with &.
Attachments (1)
Change History (9)
#3
@
17 years ago
tmountjr, &
should only be converted to &
in XHTML contexts. Redirects cannot accept &
and neither can querystring-accepting WP functions.
So, this needs to be fixed:
_e('<a href="foo.php?test=blah&foo=bar">foo</a>');
But not this:
wp_redirect('http://foo.com/?test=foo&bar=foo');
And not this:
query_posts('foo=bar&bar=foo');
#4
@
17 years ago
- Keywords needs-patch added; has-patch removed
Try looking for bare &
within <a href="[here]"
#5
@
17 years ago
So the rule of thumb is, if it's not in a wordpress-specific function, it shouldn't be changed, but if it's a PHP-specific function (or just out there by itself) it should be?
#6
@
17 years ago
- Keywords has-patch added; needs-patch removed
It doesn't look like wp_loginout() actually adds a redirect_to argument - I couldn't duplicate that problem. The only thing that new patch takes care of is a few links in the blogger import routine.
#7
@
17 years ago
Redirects cannot accept & and neither can querystring-accepting WP functions.
That includes the nonce functions it seems: #4785
#8
@
17 years ago
- Milestone 2.6 deleted
- Resolution set to fixed
- Status changed from new to closed
I'm going to close as fixed as the problem doesn't appear to apply to the current wp_loginout() which has probably been changed since the initial report.
The ampersands in blogger.php need their own ticket if it's felt they need fixing.
Seems like there's a bunch of these things in the code - couple dozen, maybe? My regular expressions aren't all that good, but the clunky thing I put together caught a lot of them. I'll tweak the search this afternoon and see if there's anything else I missed.