[wp-trac] [WordPress Trac] #4785: wp_nonce_url and &
WordPress Trac
wp-trac at lists.automattic.com
Tue Aug 21 02:14:14 GMT 2007
#4785: wp_nonce_url and &
----------------------------+-----------------------------------------------
Reporter: DD32 | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.4 (future)
Component: Administration | Version:
Severity: normal | Keywords:
----------------------------+-----------------------------------------------
I've noticed several places through the sourcecode where & is used
within urls to make them XHTML compatible i assume.
However, after just noncing my urls for a plugin, i've noticed that &
doesnt seem to work correctly in a link, yet is used by WP in places, eg:
{{{
$activate_link =
wp_nonce_url("themes.php?action=activate&template=$template&stylesheet=$stylesheet",
'switch-theme_' . $template);
}}}
results in this:
{{{
themes.php?action=activate&amp&template=TEST_TEMPLATE&stylesheet=TEST_SHEET&_wpnonce=d1abcfcd17
}}}
Which is then interpated as this: (At least in Opera)
{{{
http://localhost/themes.php?action=activate&&template=TEST_TEMPLATE&stylesheet=TEST_SHEET&_wpnonce=d1abcfcd17
}}}
notice this: ?action=activate'''&&'''template
Is it expected behaviour that wp_nonce_url should only accept a string
line "page.php?a=b&c=d", or should it also be supporting
"page.php?a=b&c=d"(Which it currently mucks up)
the problem seems to be how add_query_arg() adds arguements, It ignores
the fact that & is a arguement seperator, instead, it reads & as
one values, and then reconises the ; as the seperator for the next value,
then when it gets run through wp_specialchars() we end up with & being
replaced with &
--
Ticket URL: <http://trac.wordpress.org/ticket/4785>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list