Make WordPress Core

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#55852 closed enhancement (fixed)

Reverse wrapping of `sanitize_url()` and `esc_url_raw()`.

Reported by: peterwilsoncc's profile peterwilsoncc Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.1 Priority: normal
Severity: normal Version:
Component: Formatting Keywords: good-first-bug has-patch has-unit-tests add-to-field-guide
Focuses: Cc:

Description

In WordPress 5.9 sanitize_url() was undeprecated as a wrapper for esc_url_raw() as sanitizing functions are generally prefixed sanitize_ but for sanitizing URLs it was prefixed esc_. It was confusing.

As sanitize_url() is to become the recommended function for sanitizing a URL, it ought to be the canonical function call and contain the code currently in esc_url_raw().

This will reduce the number of function calls required when using the recommended technique.

Attachments (4)

55852.diff (1.5 KB) - added by benjgrolleau 2 years ago.
55852-2.diff (1.6 KB) - added by benjgrolleau 2 years ago.
55852-4.diff (19.8 KB) - added by benjgrolleau 2 years ago.
Replace all esc_url_raw with sanitize_url.
55852-5.diff (32.7 KB) - added by benjgrolleau 2 years ago.

Download all attachments as: .zip

Change History (25)

#1 @SergeyBiryukov
2 years ago

  • Keywords needs-patch good-first-bug added
  • Milestone changed from Awaiting Review to 6.1

@benjgrolleau
2 years ago

#2 follow-up: @benjgrolleau
2 years ago

  • Keywords has-patch added; needs-patch removed

Hello !
Just made it. It's my first try to contribute… hope it was the expected result.

I have reversed the two wrappers, and change comments relatives to the functions too.

#3 in reply to: ↑ 2 @SergeyBiryukov
2 years ago

Replying to benjgrolleau:

I have reversed the two wrappers, and change comments relatives to the functions too.

Hi there, thanks for the patch! It looks good to me, I only have two minor suggestions:

  • The new @return tag for esc_url_raw() says:
    @return string The cleaned URL after sanitize_url() is run with the 'db' context.
    
    sanitize_url() does not have a db context, so I think we can either omit that part or leave the original tag as is. Given that the function description also mentions esc_url() and not sanitize_url(), I think keeping the original tag would be preferable.
  • sanitize_url() has this comment in the description:
    This function is an alias for esc_url_raw().
    
    It should be moved to esc_url_raw() and changed to:
    This function is an alias for sanitize_url().
    

@benjgrolleau
2 years ago

#4 @benjgrolleau
2 years ago

Hi Sergey,
I changed what you've noticed. Hope it's well :-)

#5 @SergeyBiryukov
2 years ago

  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#6 follow-up: @SergeyBiryukov
2 years ago

Thanks for the refresh, looks better now :) I'll make some more minor documentation edits on commit.

#7 in reply to: ↑ 6 @benjgrolleau
2 years ago

Replying to SergeyBiryukov:

Thanks for the refresh, looks better now :) I'll make some more minor documentation edits on commit.

Nice !
Very glad to be part of WordPress contributors community now. Thank you for your patience, Sergey.

#8 @SergeyBiryukov
2 years ago

In 53452:

Formatting: Make sanitize_url() the recommended function for sanitizing a URL.

A general security rule is "Sanitize when you save, escape when you echo".

In WordPress 5.9, sanitize_url() was un-deprecated in order to better align with the naming of other sanitizing functions, while still being an alias for esc_url_raw().

This commit reverses the order and turns esc_url_raw() into a wrapper for sanitize_url(), making the latter the canonical function call and aiming to improve performance by reducing the number of function calls required when using the recommended technique.

Follow-up to [11383], [13096], [51597].

Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
See #55852.

#9 follow-ups: @SergeyBiryukov
2 years ago

  • Keywords needs-patch added; has-patch removed

Let's also use this ticket to replace all esc_url_raw() calls in core with sanitize_url().

@benjgrolleau Would you be interested in working on a patch for that? :)

#10 in reply to: ↑ 9 @benjgrolleau
2 years ago

Replying to SergeyBiryukov:

Let's also use this ticket to replace all esc_url_raw() calls in core with sanitize_url().

@benjgrolleau Would you be interested in working on a patch for that? :)

Yes I can ! :-)

@benjgrolleau
2 years ago

Replace all esc_url_raw with sanitize_url.

#11 in reply to: ↑ 9 ; follow-up: @benjgrolleau
2 years ago

  • Keywords has-patch added; needs-patch removed

Replying to SergeyBiryukov:

Let's also use this ticket to replace all esc_url_raw() calls in core with sanitize_url().

@benjgrolleau Would you be interested in working on a patch for that? :)

This is done. I've tried to replace comments and deprecated notices too.

#12 in reply to: ↑ 11 @SergeyBiryukov
2 years ago

Replying to benjgrolleau:

This is done. I've tried to replace comments and deprecated notices too.

Looks good, thanks! There are some more instances in the wp-admin and wp-admin/includes/ directories, let's replace them too :)

@benjgrolleau
2 years ago

#13 follow-up: @benjgrolleau
2 years ago

Hey !
I've finished replacing all of them (at least I think).

#14 in reply to: ↑ 13 @SergeyBiryukov
2 years ago

Replying to benjgrolleau:

I've finished replacing all of them (at least I think).

Perfect, thanks! Creating a GitHub PR now just to make sure all the tests pass.

This ticket was mentioned in PR #2765 on WordPress/wordpress-develop by SergeyBiryukov.


2 years ago
#15

  • Keywords has-unit-tests added

#16 follow-up: @SergeyBiryukov
2 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 53455:

General: Replace all esc_url_raw() calls in core with sanitize_url().

This aims to improve performance by calling sanitize_url() directly, instead of the esc_url_raw() wrapper. As of WordPress 6.1, sanitize_url() is the recommended function for sanitizing a URL for database or redirect usage.

Follow-up to [11383], [13096], [51597], [53452].

Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
Fixes #55852.

#18 in reply to: ↑ 16 ; follow-up: @benjgrolleau
2 years ago

Replying to SergeyBiryukov:

In 53455:

General: Replace all esc_url_raw() calls in core with sanitize_url().

This aims to improve performance by calling sanitize_url() directly, instead of the esc_url_raw() wrapper. As of WordPress 6.1, sanitize_url() is the recommended function for sanitizing a URL for database or redirect usage.

Follow-up to [11383], [13096], [51597], [53452].

Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
Fixes #55852.

Maybe now we need to update the WPCS ?

#19 in reply to: ↑ 18 @SergeyBiryukov
2 years ago

Replying to benjgrolleau:

Maybe now we need to update the WPCS ?

Good point, thanks! Looks like there is already an issue created for that:
https://github.com/WordPress/WordPress-Coding-Standards/issues/2031

This ticket was mentioned in Slack in #core by sergey. View the logs.


2 years ago

#21 @milana_cap
2 years ago

  • Keywords add-to-field-guide added
Note: See TracTickets for help on using tickets.