[wp-trac] [WordPress Trac] #60864: URL sanitizing strips valid characters instead of encoding, documented use is invalid
WordPress Trac
noreply at wordpress.org
Sat Mar 30 01:36:07 UTC 2024
#60864: URL sanitizing strips valid characters instead of encoding, documented use
is invalid
--------------------------+-----------------------------
Reporter: kkmuffme | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
- wp_sanitize_redirect creates different URL instead of correctly percent-
encoding e.g. for URLs that contain "<" - followup to
https://core.trac.wordpress.org/ticket/31486 where this was partially
fixed
- sanitize_url is documented to sanitize for redirect usage but the URI is
not valid for redirects since it's not percent-encoded - followup to
https://core.trac.wordpress.org/ticket/56160
- esc_url and sanitize_url strip characters that don't need to be stripped
but can be HTML encoded to make them safe, e.g. "<" causing some URLs to
be broken.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60864>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list