clean_url() shouldn't touch dollar, asterisk or single quote characters

[sambauers]

According to ​http://www.ietf.org/rfc/rfc1738.txt

the special characters "$-_.+!*'()," ... may be used unencoded within a URL.

[markjaquith]

Leaving single quotes unescaped would be an XSS security vulnerability. I've no objection to the other characters being allowed. Punting this to 2.7

[anonymized_218323]

Replying to markjaquith:

Leaving single quotes unescaped would be an XSS security vulnerability. I've no objection to the other characters being allowed. Punting this to 2.7

Sanitizing shouldn't be done in URLs, it should be done, when the page is printed. I don't see how it would matter. If it needs it, then the url must always be contained within double quotes. That should negate the XSS vulnerability.

[markjaquith]

Sanitizing shouldn't be done in URLs, it should be done, when the page is printed.

Most uses of clean_url() are sanitizing URLs for display.

If it needs it, then the url must always be contained within double quotes. That should negate the XSS vulnerability.

That's a silly thing to require. A href attribute contained within single quotes is valid (X)HTML.

[jacobsantos]

Replying to markjaquith:

That's a silly thing to require. A href attribute contained within single quotes is valid (X)HTML.

Yes, but invalid if the url also contains a single quote. Since single quotes are valid in URLs and therefore reasonable that they would be displayed, then it should be assumed that any given URL can have it and therefore that the href should always use double quotes to prevent invalid (X)HTML and XSS attacks.

[markjaquith]

Yes, but invalid if the url also contains a single quote.

So we can HTML-entity-encode single quotes if we're displaying the URL, leave it alone if we're not. Requiring double quotes is simply not an option. I'll make a patch.

[markjaquith]

7386.002.diff leaves single-quotes alone for non-display contexts, encodes it for display context. Allows single quote to be passed in wp_redirect() contexts (i.e. using sanitize_url()), but doesn't allow for XSS in the default (display) context.

[chrise]

Links cannot contain high-ascii/UTF-8 characters like 'åäö' (å, ä and ö), had to find an IDN equivalent to be able to link to a specifik site:

Example: "​http://www.senatåg.se/" as "Web Address" and "Sena Tåg" as "Name" -- comes out as "​http://www.senatg.se/" which is not the desired url.

I'm sorry if this is the wrong place to post this but I thought this ticket would be the a proper place and in context.

[nbachiyski]

Replying to chrise:

Links cannot contain high-ascii/UTF-8 characters like 'åäö' (å, ä and ö)

clean_url rejects high-ascii characters, but it happily accept UTF-8 ones:

>>> clean_url('http://баба.com/Ïn thë Gërmän längüägë thërë ärë önly föür Ümläüts: ä, ü, ö, Ä, Ü, Ö')
http://баба.com/ÏnthëGërmänlängüägëthërëärëönlyföürÜmläüts:ä,ü,ö,Ä,Ü,Ö

[matt]

(In [9179]) clean_url improvements, Hat tip: markjaquith. Reviewed by nbachiyskip. Fixes #7386.