Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#53876 closed enhancement (fixed)

"Un" Deprecate sanitize_url()

Reported by: ipstenu's profile Ipstenu Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.9 Priority: normal
Severity: normal Version:
Component: General Keywords: good-first-bug has-patch
Focuses: coding-standards Cc:

Description

This has been an increasing headache with plugin developers. As we've started cracking down on lack of sanitization and escaping in plugins (looking for the more rare cases), we've run into a situation where developers are justifiably confused and frustrated.

The general rule for people is "Sanitize when you save, escape when you echo" and for the most part WordPress has well-named functions like sanitize_email and so on.

Except for esc_url_raw()

If you go to https://developer.wordpress.org/reference/functions/sanitize_url/ it tells you it’s been deprecated, so when we see it, we have to tell people to stop using it, but logically it’s maddening.

I brought this up in devchat, but it seems like 'un' deprecating, and making sanitize_url() a valid alias, would make things a lot less murky for developers who are trying to do the right thing.

Attachments (1)

53876.patch (1.5 KB) - added by aadilali 3 years ago.

Download all attachments as: .zip

Change History (4)

#1 @SergeyBiryukov
3 years ago

  • Keywords needs-patch good-first-bug added
  • Milestone changed from Awaiting Review to 5.9

@aadilali
3 years ago

#2 @SergeyBiryukov
3 years ago

  • Keywords has-patch added; needs-patch removed

#3 @SergeyBiryukov
3 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 51597:

General: Restore (un-deprecate) the sanitize_url() function.

A general security rule is "Sanitize when you save, escape when you echo", and for the most part WordPress has well-named functions like sanitize_email() and others, with esc_url_raw() being a single exception that does not follow the naming.

This commit restores the previously deprecated sanitize_url() function as a valid alias of esc_url_raw().

This better aligns with the naming with other sanitize_*() functions:

  • sanitize_bookmark()
  • sanitize_bookmark_field()
  • sanitize_category()
  • sanitize_category_field()
  • sanitize_comment_cookies()
  • sanitize_email()
  • sanitize_file_name()
  • sanitize_hex_color()
  • sanitize_hex_color_no_hash()
  • sanitize_html_class()
  • sanitize_key()
  • sanitize_meta()
  • sanitize_mime_type()
  • sanitize_option()
  • sanitize_post()
  • sanitize_post_field()
  • sanitize_sql_orderby()
  • sanitize_term()
  • sanitize_term_field()
  • sanitize_text_field()
  • sanitize_textarea_field()
  • sanitize_title()
  • sanitize_title_for_query()
  • sanitize_title_with_dashes()
  • sanitize_trackback_urls()
  • sanitize_user()
  • sanitize_user_field()

Follow-up to [11383], [13096].

Props Ipstenu, aadilali.
Fixes #53876.

Note: See TracTickets for help on using tickets.