[wp-trac] [WordPress Trac] #20771: esc_url() instead of esc_html() in wp_nonce_url()
WordPress Trac
wp-trac at lists.automattic.com
Fri Jun 1 00:44:02 UTC 2012
#20771: esc_url() instead of esc_html() in wp_nonce_url()
---------------------------------+-----------------------------
Reporter: jkudish | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Future Release
Component: Formatting | Version: 3.4
Severity: normal | Resolution:
Keywords: has-patch 3.5-early |
---------------------------------+-----------------------------
Comment (by jkudish):
Replying to [comment:1 SergeyBiryukov]:
> In come cases, `wp_nonce_url()` result is already escaped with
`esc_url()` on output: [[BR]]
> http://core.trac.wordpress.org/browser/tags/3.3.2/wp-admin/includes
/class-wp-ms-sites-list-table.php#L249
> We should probably review all the instances.
We could remove all the uses of `esc_url( wp_nonce_url( ... ) )`, there
isn't anything technically wrong with escaping twice. It's being overly
cautious for sure, but not "wrong".
That being said, the revised attached patch removes all such occurrences.
This got me thinking about something though... Is there a good reason why
other functions that generate URLs (e.g. `admin_url()`, `includes_url()`,
etc...) don't use `esc_url()` in their output?
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20771#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list