Opened 11 months ago
Last modified 11 months ago
#56160 new enhancement
Deprecate wp_sanitize_redirect
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | 2.3 |
| Component: | Security | Keywords: | 2nd-opinion |
| Focuses: | Cc: |
Description
All places that currently use it are better served with esc_url_raw and there seems to be no correct usage of it anywhere (most plugins use it where esc_url_raw should be used instead).
I'm happy to provide a PR, I just need to get some heads up about how the deprecation process works in WP exactly.
Change History (2)
#2
@
11 months ago
WP core uses it only in 3 functions:
- wp_redirect
- wp_safe_redirect
- wp_validate_redirect
https://developer.wordpress.org/reference/functions/esc_url_raw/
States:
The resulting URL is safe to use in database queries, redirects and HTTP requests.
So if esc_url_raw is safe to use in (= sanitize), then there is no need for wp_sanitize_redirect, as esc_url_raw already does this.
If esc_url_raw is NOT safe for sanitizing data in redirects, this needs to be updated in docs to highlight wp_sanitize_redirect has to be used.
Additionally, it's unclear what the difference between the use cases for sanitize_url and wp_sanitize_redirect are?
Hi @malthert, thanks for opening this ticket. I've left a few thoughts below.
[53455] changed
esc_url_raw()calls tosanitize_url()as this is now the recommended function for sanitizing a URL as of WordPress 6.1.For discussion, posterity, and for making committers' lives easier should this get support, could you provide your thoughts on why
esc_url_raw()serves some of these usages better, or where it's more appropriate thanwp_sanitize_redirect()?An impact analysis is an important part of any deprecation. I'll kick it off with some numbers:
sanitize_url_redirect\(.sanitize_url_redirect\(.I've added the
2nd-opinionkeyword to draw attention to this ticket.