[wp-trac] [WordPress Trac] #36033: 'kses_allowed_protocols' filter is not really filterable.

WordPress Trac noreply at wordpress.org
Wed Mar 2 06:18:16 UTC 2016 

#36033: 'kses_allowed_protocols' filter is not really filterable.
--------------------------+-----------------------------
 Reporter:  turtlepod     |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Future Release
Component:  Security      |     Version:  4.4.2
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:
--------------------------+-----------------------------

Comment (by turtlepod):

 Replying to [comment:1 SergeyBiryukov]:
 > Previously brought up in comment:18:ticket:18268.

 thanks for the link.

 > This was done (in [31104]) for performance reasons, as running
 `apply_filters()` on each `esc_url()` call would be a performance hit.

 '''I don't think there's going to be any performance hit'''.

 If you have the time, please explain further and maybe results in testing
 (?). Did anyone actually test this?

 I'm sure you already know that "apply_filters()" is already/also running
 on every "esc_url()" call (?) so, removing it will improve the code ?

 https://developer.wordpress.org/reference/functions/esc_url/ (line 3460)

 {{{
     /**
      * Filter a string cleaned and escaped for output as a URL.
      *
      * @since 2.3.0
      *
      * @param string $good_protocol_url The cleaned URL to be returned.
      * @param string $original_url      The URL prior to cleaning.
      * @param string $_context          If 'display', replace ampersands
 and single quotes only.
      */
     return apply_filters( 'clean_url', $good_protocol_url, $original_url,
 $_context );
 }}}


 > We can't remove the static variable entirely, but we could probably use
 the approach from [31104]. If `esc_url()` was called before
 `plugins_loaded`, it will not prevent plugins from filtering the value on
 `plugins_loaded` or `init`. See [attachment:36033.patch].

 Correct me if I'm wrong, but the only reason we use static so the filter
 will only loaded once.
 I would suggest to remove the static (?)
 however using "did_action( 'wp_loaded' )" might solve this for most case.
 (not sure how much performance gain for this workaround).

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36033#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list