[wp-trac] [WordPress Trac] #24417: get_the_post_format_url() should not escape data
WordPress Trac
noreply at wordpress.org
Thu May 30 23:14:24 UTC 2013
#24417: get_the_post_format_url() should not escape data
--------------------------+----------------------
Reporter: tollmanz | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Post Formats | Version: trunk
Severity: normal | Resolution: wontfix
Keywords: has-patch |
--------------------------+----------------------
Comment (by jeremyfelt):
Agreed that it is on the developer to escape data as late as possible both
for security and for general code readability and confidence.
If I want a way to echo the URL to the front end without manipulating the
data, I know I can use `the_post_format_url()` to do so.
If I want to manipulate the URL in any way before outputting it, I should
be able to use `get_the_post_format_url()`. Once I take on that
responsibility, it's up to me to escape on output.
At some level, I can see the included `esc_url_raw()` providing a false
sense of security to a developer that should instead be thinking of this
as they are working. For output to the front end, we should be using
`esc_url()`. The current state makes for plenty of use cases where
`esc_url()` will be run almost immediately after `esc_url_raw()`,
duplicating a lot of effort.
As a smaller point, valid characters can be stripped from the URL and
having access to the raw data would be nice in those rare scenarios.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24417#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list