Make WordPress Core

#56140 closed defect (bug) (wontfix)

Need to use esc_url escaping function instead of esc_attr.

Reported by: vishitshah's profile vishitshah Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Users Keywords: has-patch 2nd-opinion
Focuses: Cc:


Need to use esc_url escaping function instead of esc_attr in user-new.php file.

Attachments (1)

56140.diff (613 bytes) - added by vishitshah 22 months ago.

Download all attachments as: .zip

Change History (5)

22 months ago

#1 follow-up: @audrasjb
22 months ago

  • Component changed from General to Users
  • Keywords 2nd-opinion added
  • Version trunk deleted


I'm not sure about this one. I'm not opposed to this change, but given it's a user generated content, I guess it doesn't hurt if something else than a correct URL is used here (as soon as it can be used as an attribute), and we could break some edge cases/unintended purposes. We only need to make sure that it is correctly escaped for the value attribute, don't we?

#2 @costdev
22 months ago

The docs for esc_url() state:

Always use esc_url when sanitizing URLs (in text nodes, attribute nodes or anywhere else). Ref

This URL is being displayed and is in an attribute node, so esc_url() is appropriate. When submitted, it should go through sanitize_url()* prior to being sent to the database.

*sanitize_url() is the preferred function for sanitizing a URL for the database and redirection as of 6.1 in changeset [53452].

I am unaware of edge cases that may exist. As the field is intended for a URL, I'm having difficulty envisaging an alternative yet valid use case.

#3 in reply to: ↑ 1 @SergeyBiryukov
22 months ago

Replying to audrasjb:

We only need to make sure that it is correctly escaped for the value attribute, don't we?

Yes, I think esc_attr() is correct here. It's not unlikely that someone might want to put "Website: none", "in progress", or something else that's not a valid URL in their profile.

Requiring a valid URL and sanitizing it as such, with appropriate error messages, could be a separate enhancement.

Last edited 22 months ago by SergeyBiryukov (previous) (diff)

#4 @ocean90
22 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

I agree that esc_attr() is the proper function here since the primary use case is to escape the value for an attribute, which isn't href, src or similar.

Note: See TracTickets for help on using tickets.