Opened 2 years ago
Closed 2 years ago
#56140 closed defect (bug) (wontfix)
Need to use esc_url escaping function instead of esc_attr.
Reported by: | vishitshah | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Users | Keywords: | has-patch 2nd-opinion |
Focuses: | Cc: |
Description
Need to use esc_url escaping function instead of esc_attr in user-new.php file.
Attachments (1)
Change History (5)
#1
follow-up:
↓ 3
@
2 years ago
- Component changed from General to Users
- Keywords 2nd-opinion added
- Version trunk deleted
#2
@
2 years ago
The docs for esc_url()
state:
Always use esc_url when sanitizing URLs (in text nodes, attribute nodes or anywhere else). Ref
This URL is being displayed and is in an attribute node, so esc_url()
is appropriate. When submitted, it should go through sanitize_url()
* prior to being sent to the database.
*sanitize_url()
is the preferred function for sanitizing a URL for the database and redirection as of 6.1 in changeset [53452].
I am unaware of edge cases that may exist. As the field is intended for a URL, I'm having difficulty envisaging an alternative yet valid use case.
#3
in reply to:
↑ 1
@
2 years ago
Replying to audrasjb:
We only need to make sure that it is correctly escaped for the
value
attribute, don't we?
Yes, I think esc_attr()
is correct here. It's not unlikely that some might want to put "Website: none", "in progress", or something else that's not a valid URL in their profile.
Requiring a valid URL and sanitizing it as such, with appropriate error messages, could be a separate enhancement.
Hello,
I'm not sure about this one. I'm not opposed to this change, but given it's a user generated content, I guess it doesn't hurt if something else than a correct URL is used here (as soon as it can be used as an attribute), and we could break some edge cases/unintended purposes. We only need to make sure that it is correctly escaped for the
value
attribute, don't we?