Make WordPress Core

Opened 4 months ago

Last modified 4 months ago

#60864 new defect (bug)

URL sanitizing strips valid characters instead of encoding, documented use is invalid

Reported by: kkmuffme's profile kkmuffme Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch has-unit-tests
Focuses: Cc:


  • esc_url and sanitize_url strip characters that don't need to be stripped but can be HTML encoded to make them safe, e.g. "<" causing some URLs to be broken.

Change History (4)

#1 @kkmuffme
4 months ago

#56160 was marked as a duplicate.

This ticket was mentioned in PR #6335 on WordPress/wordpress-develop by @kkmuffme.

4 months ago

  • Keywords has-patch has-unit-tests added

#3 @kkmuffme
4 months ago

Before I fix all the broken tests, I want to gather some feedback on this - the tests are broken because the characters were stripped instead of encoded, which caused some URLs to be invalid, leading to 404s.

This ticket was mentioned in Slack in #core by kkmuffme. View the logs.

4 months ago

Note: See TracTickets for help on using tickets.