[wp-trac] [WordPress Trac] #31080: GUID should not always be escaped for url in feeds
WordPress Trac
noreply at wordpress.org
Mon Apr 20 20:54:21 UTC 2015
#31080: GUID should not always be escaped for url in feeds
------------------------------+--------------------------
Reporter: CheeseDurger | Owner: stevenkword
Type: enhancement | Status: closed
Priority: normal | Milestone: 4.2
Component: Feeds | Version: trunk
Severity: normal | Resolution: fixed
Keywords: has-patch commit | Focuses: template
------------------------------+--------------------------
Comment (by nacin):
I'll also add this was done as defense in depth. As in, we now sanitize
GUIDs on save, and also added escaping in case it was exploited before
update. In that case, we could ''hypothetically'' remove the escaping
years after the fact. But that wouldn't actually fix anything, as the
GUIDs would still go through `esc_url_raw()` on save, and might in certain
contexts still need to go through `esc_url()` on display. This is because
they are often used directly as URLs for historical reasons.
This change at least allows for someone to unhook all of it, both save and
display.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31080#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list