[wp-trac] [WordPress Trac] #20771: esc_url() instead of esc_html() in wp_nonce_url()

WordPress Trac noreply at wordpress.org
Thu Mar 7 06:56:35 UTC 2013


#20771: esc_url() instead of esc_html() in wp_nonce_url()
-------------------------------------------------+-------------------------
 Reporter:  jkudish                              |       Owner:
     Type:  enhancement                          |  SergeyBiryukov
 Priority:  normal                               |      Status:  reopened
Component:  Formatting                           |   Milestone:  3.6
 Severity:  normal                               |     Version:  3.4
 Keywords:  has-patch dev-feedback 3.6-early     |  Resolution:
  commit                                         |
-------------------------------------------------+-------------------------

Comment (by nacin):

 We should ideally fix add_query_arg() to work for both & and &.
 At a glance, though, I'm not sure I see where add_query_arg() handles the
 former even right now.

 We should also consider just using & in esc_url(). I can't think of a
 particular context where esc_url() may be used (and esc_html() isn't)
 where & is not a recognized entity.

 For now, I agree with revert. I have considered this change more than
 once, and each time, avoided it as something would break.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/20771#comment:9>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list