[wp-trac] [WordPress Trac] #13051: admin_url() and site_url() shouldn't need esc_url()
WordPress Trac
wp-trac at lists.automattic.com
Sat May 8 02:09:02 UTC 2010
#13051: admin_url() and site_url() shouldn't need esc_url()
--------------------------+-------------------------------------------------
Reporter: alexkingorg | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.1
Component: Security | Version: 3.0
Severity: normal | Keywords: needs-patch early
--------------------------+-------------------------------------------------
Comment(by alexkingorg):
Ah, so then we just need to convert & and &038; to & in the redirect
call.
I see a couple of things happening here.
1. Attached is a patch to do the replace in {{{wp_sanitize_redirect}}} and
call {{{wp_sanitize_redirect}}} in {{{wp_nonce_url}}}
2. I see that the str_replace was already added to wp_nonce_url, but it
was added before a query arg was added, and it wasn't checking for the
#038; version of the encoded & to replace
I think we can get rid of that str_replace and use wp_sanitize_redirect
instead. In the patch I left it in, commented out.
With this patch in place as well as the previous patch I can install
plugins, etc. without nonce errors.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/13051#comment:23>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list