[wp-trac] [WordPress Trac] #20771: esc_url() instead of esc_html() in wp_nonce_url()

WordPress Trac noreply at wordpress.org
Tue Jun 13 22:05:19 UTC 2017


#20771: esc_url() instead of esc_html() in wp_nonce_url()
------------------------------------------+-----------------------------
 Reporter:  jkudish                       |       Owner:  johnbillion
     Type:  enhancement                   |      Status:  accepted
 Priority:  normal                        |   Milestone:  Future Release
Component:  Formatting                    |     Version:  3.4
 Severity:  normal                        |  Resolution:
 Keywords:  needs-unit-tests needs-patch  |     Focuses:
------------------------------------------+-----------------------------

Comment (by johnjamesjacoby):

 > I think `esc_url` doing HTML escaping is a bit dumb

 I agree with this statement – I just ran into this again working on a
 plugin.

 Core is surprisingly consistent as to how it wraps `wp_nonce_url()` in
 `esc_url()`; there are only a handful of places where the `&`
 replacement in `wp_nonce_url()` is actually necessary.

 [https://core.trac.wordpress.org/browser/trunk/src/wp-admin/users.php#L161
 users.php#L161] is an old-school @nacin top 40 classic for the ages,
 according to the Casey Kasem revision history.

 Otherwise, as dumb as it looks, it's working OK.

 `wp_nonce_url()` does seem, to me, like it's a function that doesn't know
 if it should `echo` or `return`, and so it escapes but doesn't output
 anything, which I don't like (at least use `_get_` in the name.)

 ----

 I think if anyone runs into this in the future and wants direction, my
 preferred approach would be to:

 * Introduce a new function that doesn't escape, doesn't swap the `&`,
 and handles only the adding of the query nonce to a URL
 * Use this new function all across everything where `wp_nonce_url()` is
 currently used
 * Replace query-string URL patterns with arrays using `add_query_arg()` –
 this is alot of code
 * Somehow convince everyone this is actually worth doing compared to
 leaving it be

 TL;DR - I think this can be closed either as wontfix or maybelater.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/20771#comment:20>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list