PHPCS issue in wp-admin/include/media.php .

[smit08]

Used escaping function esc_attr instead of esc_url.

$html = '<a href="' . esc_attr( $url ) . '"' . $rel . '>' . $html . '</a>';

[mukesh27]

Hi there!

Thanks for the ticket and patch. The 56064.patch​ patch makes sense to me and it's better to check the correct escape function for URL's enhancement.

commit keyword added.

[SergeyBiryukov]

Hi there, thanks for the patch!

It looks like esc_attr() was used here as of [12051] / #10252, since esc_url() did not work correctly with some accented characters at the time, see #10859.

Since #10859 was fixed in [12199], and esc_url() no longer returns an empty string for the URL listed there in my testing, I think we should indeed be able to use esc_url() here.

[SergeyBiryukov]

In 53570:

Media: Use correct escaping function for URLs in some legacy media functions.

This affects:

• get_image_send_to_editor()
• image_link_input_fields()

Follow-up to [7092], [7874], [8653], [11109], [11204], [11383], [12051], [12199], [19982].

Props smit08, mukesh27.
Fixes #56064.

[SergeyBiryukov]

#56125 was marked as a duplicate.