[wp-trac] [WordPress Trac] #39145: custom-background URL escaped
WordPress Trac
noreply at wordpress.org
Thu Dec 8 08:53:54 UTC 2016
#39145: custom-background URL escaped
--------------------------+-----------------------------
Reporter: futtta | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.7.1
Component: Customize | Version: 4.7
Severity: normal | Resolution:
Keywords: has-patch | Focuses: administration
--------------------------+-----------------------------
Comment (by tyxla):
> we should add double quotes to surround the esc_url() call
We '''can''' add them, but I don't think we '''should'''. First, the
surrounding quotes are totally optional (see
https://www.w3.org/TR/CSS21/syndata.html#uri for more information), and
second, most of the usages in the core CSS don't include the quotes.
So we're perfectly fine without adding the quotes at all. But if you
insist to add them, I think it's much better to add them to the URL
manually instead of using a more complex function that unnecessarily does
more things and checks on the string.
> I'm not totally sure that esc_url() will work for URLs that have
characters that get encoded as entities.
You're right about this one, but having ampersands in these URLs is a
super edge case (at this time it can only be achieved by hacking into the
media upload functionality), and I think `esc_url()` is our best bet in
that case. We can always use `esc_url_raw()`, but it's not as safe when
displaying the URL (and that's what we're essentially doing).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39145#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list