Make WordPress Core

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#56064 closed enhancement (fixed)

PHPCS issue in wp-admin/include/media.php .

Reported by: smit08's profile smit08 Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.1 Priority: normal
Severity: normal Version:
Component: Media Keywords: has-patch commit
Focuses: coding-standards Cc:


Used escaping function esc_attr instead of esc_url.

$html = '<a href="' . esc_attr( $url ) . '"' . $rel . '>' . $html . '</a>';

Attachments (1)

56064.patch (1.2 KB) - added by smit08 2 years ago.

Download all attachments as: .zip

Change History (6)

2 years ago

#1 @mukesh27
2 years ago

  • Focuses coding-standards added
  • Keywords has-patch commit added; needs-patch removed

Hi there!

Thanks for the ticket and patch. The 56064.patch patch makes sense to me and it's better to check the correct escape function for URL's enhancement.

commit keyword added.

#2 @mukesh27
2 years ago

  • Milestone changed from Awaiting Review to 6.1

#3 @SergeyBiryukov
2 years ago

Hi there, thanks for the patch!

It looks like esc_attr() was used here as of [12051] / #10252, since esc_url() did not work correctly with some accented characters at the time, see #10859.

Since #10859 was fixed in [12199], and esc_url() no longer returns an empty string for the URL listed there in my testing, I think we should indeed be able to use esc_url() here.

Last edited 2 years ago by SergeyBiryukov (previous) (diff)

#4 @SergeyBiryukov
2 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 53570:

Media: Use correct escaping function for URLs in some legacy media functions.

This affects:

  • get_image_send_to_editor()
  • image_link_input_fields()

Follow-up to [7092], [7874], [8653], [11109], [11204], [11383], [12051], [12199], [19982].

Props smit08, mukesh27.
Fixes #56064.

#5 @SergeyBiryukov
2 years ago

#56125 was marked as a duplicate.

Note: See TracTickets for help on using tickets.