Make WordPress Core

Opened 13 years ago

Closed 12 years ago

#4788 closed defect (bug) (fixed)

wp_loginout() / ampersand in URL

Reported by: raptorNL Owned by:
Milestone: Priority: low
Severity: minor Version: 2.2.2
Component: General Keywords: has-patch
Focuses: Cc:


The wp_loginout() function does not escape ampersands with the proper entity in the Logout url, failing the code to pass W3C (X)HTML validation.

For instance, on my local test blog, it generates the following:
<a href="http://localhost/wp/wp-login.php?action=logout&redirect_to=%2Fhome%2F">Logout</a>

The ampersand between action=logout and redirect_to=%2Fhome%2F should be escaped with &amp;.

Attachments (1)

ampersands.diff (2.7 KB) - added by tmountjr 13 years ago.
trimmed down escaping

Download all attachments as: .zip

Change History (9)

#1 @tmountjr
13 years ago

Seems like there's a bunch of these things in the code - couple dozen, maybe? My regular expressions aren't all that good, but the clunky thing I put together caught a lot of them. I'll tweak the search this afternoon and see if there's anything else I missed.

#2 @tmountjr
13 years ago

  • Keywords has-patch added

#3 @markjaquith
13 years ago

tmountjr, & should only be converted to &amp; in XHTML contexts. Redirects cannot accept &amp; and neither can querystring-accepting WP functions.

So, this needs to be fixed:

_e('<a href="foo.php?test=blah&foo=bar">foo</a>');

But not this:


And not this:


#4 @markjaquith
13 years ago

  • Keywords needs-patch added; has-patch removed

Try looking for bare & within <a href="[here]"

#5 @tmountjr
13 years ago

So the rule of thumb is, if it's not in a wordpress-specific function, it shouldn't be changed, but if it's a PHP-specific function (or just out there by itself) it should be?

#6 @tmountjr
13 years ago

  • Keywords has-patch added; needs-patch removed

It doesn't look like wp_loginout() actually adds a redirect_to argument - I couldn't duplicate that problem. The only thing that new patch takes care of is a few links in the blogger import routine.

13 years ago

trimmed down escaping

#7 @DD32
13 years ago

Redirects cannot accept &amp; and neither can querystring-accepting WP functions.

That includes the nonce functions it seems: #4785

#8 @pishmishy
12 years ago

  • Milestone 2.6 deleted
  • Resolution set to fixed
  • Status changed from new to closed

I'm going to close as fixed as the problem doesn't appear to apply to the current wp_loginout() which has probably been changed since the initial report.

The ampersands in blogger.php need their own ticket if it's felt they need fixing.

Note: See TracTickets for help on using tickets.