Wrong Escaping functionality in ajax

[rajdiptank111]

Wrong Escaping functionality ajax-actions.php file... missing Escaping functionality is esc_html( $url ).

File Location:- ...\wp-admin\includes\ajax-actions.php file line number 3822.

I have shared the screenshot below...

[rajdiptank111]

Wrong Escaping functionality in ajax

[ankitkumarshah]

Hi @rajdiptank111,

Thank you for bringing this up!

For this case, using esc_html() is appropriate. The URL is being displayed inside a <code> tag as part of an error message, not being used as an actual URL in a link or form action.

If this URL was being used in an href attribute or anywhere where an actual URL is required, then you would want to use esc_url(). But since this is purely for display purposes inside a code tag in an error message, esc_html() is the correct choice here.

[johnbillion]

I concur with the above. Thanks!

[sabernhardt]

[43290] has a good example of when to use each function:

<a href="<?php echo esc_url( $comment_link ); ?>">
	<?php echo esc_html( $comment_link ); ?>
</a>