Make WordPress Core

Opened 18 months ago

Closed 18 months ago

Last modified 18 months ago

#56064 closed enhancement (fixed)

PHPCS issue in wp-admin/include/media.php .

Reported by: smit08's profile smit08 Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.1 Priority: normal
Severity: normal Version:
Component: Media Keywords: has-patch commit
Focuses: coding-standards Cc:


Used escaping function esc_attr instead of esc_url.

$html = '<a href="' . esc_attr( $url ) . '"' . $rel . '>' . $html . '</a>';

Attachments (1)

56064.patch (1.2 KB) - added by smit08 18 months ago.

Download all attachments as: .zip

Change History (6)

18 months ago

#1 @mukesh27
18 months ago

  • Focuses coding-standards added
  • Keywords has-patch commit added; needs-patch removed

Hi there!

Thanks for the ticket and patch. The 56064.patch patch makes sense to me and it's better to check the correct escape function for URL's enhancement.

commit keyword added.

#2 @mukesh27
18 months ago

  • Milestone changed from Awaiting Review to 6.1

#3 @SergeyBiryukov
18 months ago

Hi there, thanks for the patch!

It looks like esc_attr() was used here as of [12051] / #10252, since esc_url() did not work correctly with some accented characters at the time, see #10859.

Since #10859 was fixed in [12199], and esc_url() no longer returns an empty string for the URL listed there in my testing, I think we should indeed be able to use esc_url() here.

Last edited 18 months ago by SergeyBiryukov (previous) (diff)

#4 @SergeyBiryukov
18 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 53570:

Media: Use correct escaping function for URLs in some legacy media functions.

This affects:

  • get_image_send_to_editor()
  • image_link_input_fields()

Follow-up to [7092], [7874], [8653], [11109], [11204], [11383], [12051], [12199], [19982].

Props smit08, mukesh27.
Fixes #56064.

#5 @SergeyBiryukov
18 months ago

#56125 was marked as a duplicate.

Note: See TracTickets for help on using tickets.