Opened 3 years ago
Closed 3 years ago
#53876 closed enhancement (fixed)
"Un" Deprecate sanitize_url()
Reported by: | Ipstenu | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 5.9 | Priority: | normal |
Severity: | normal | Version: | |
Component: | General | Keywords: | good-first-bug has-patch |
Focuses: | coding-standards | Cc: |
Description
This has been an increasing headache with plugin developers. As we've started cracking down on lack of sanitization and escaping in plugins (looking for the more rare cases), we've run into a situation where developers are justifiably confused and frustrated.
The general rule for people is "Sanitize when you save, escape when you echo" and for the most part WordPress has well-named functions like sanitize_email
and so on.
Except for esc_url_raw()
If you go to https://developer.wordpress.org/reference/functions/sanitize_url/ it tells you it’s been deprecated, so when we see it, we have to tell people to stop using it, but logically it’s maddening.
I brought this up in devchat, but it seems like 'un' deprecating, and making sanitize_url() a valid alias, would make things a lot less murky for developers who are trying to do the right thing.
In 51597: