[wp-trac] [WordPress Trac] #16859: esc_url eats square brackets.

WordPress Trac noreply at wordpress.org
Thu Feb 20 23:21:52 UTC 2014


#16859: esc_url eats square brackets.
------------------------------------+-----------------------------
 Reporter:  f00f                    |       Owner:  westi
     Type:  defect (bug)            |      Status:  accepted
 Priority:  normal                  |   Milestone:  Future Release
Component:  Formatting              |     Version:  3.1
 Severity:  major                   |  Resolution:
 Keywords:  has-patch dev-feedback  |     Focuses:
------------------------------------+-----------------------------

Comment (by gcorne):

 I spent some time looking into this issue as well as #15936. When
 sanitizing, validating, and escaping URLs, it seems that the most robust
 solution is to break the url into its components, sanitize, and then
 rebuild. [attachment:16859-03.2.patch 16859-03.2.patch] does this by
 leveraging {{{parse_url}}} and then reconstructing the url after
 sanitizing by following the psuedo code in RFC3986. By breaking the url
 into its components, we can also easily add other rules. The solution
 addresses issues with IPv6 literals by allowing {{{[}}} and {{{]}}} in the
 host component and encodes brackets in the {{{path}}}, {{{query}}}, and
 {{{fragment}}} segments. It feels a little funny doing this encoding here
 because it seems to me that the url encoding is something that should be
 happening elsewhere, but since right now the brackets do not function as
 delimiters outside the host, i think it is okay.  All existing tests pass
 with this solution.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/16859#comment:27>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list