[wp-trac] [WordPress Trac] #13051: admin_url() and site_url() shouldn't need esc_url()
WordPress Trac
wp-trac at lists.automattic.com
Mon Apr 19 16:57:13 UTC 2010
#13051: admin_url() and site_url() shouldn't need esc_url()
----------------------------+-----------------------------------------------
Reporter: alexkingorg | Owner:
Type: defect (bug) | Status: new
Priority: high | Milestone: 3.0
Component: Administration | Version: 3.0
Severity: major | Keywords:
----------------------------+-----------------------------------------------
I noticed that the 3.0 codeline includes the addition of esc_url() around
admin_url() like:
esc_url(admin_url());
I believe that admin_url() and site_url() should be "safe" functions to
use and should not need escaping. Perhaps they should call esc_url()
internally?
I cannot think of a viable reason to allow unsafe results from admin_url()
and site_url(), though perhaps there are some internationalization edge
cases that I'm not aware of.
If you really need raw access to an unsafe value in wp_options, you can
use get_option() to get to it.
Another issue to consider here is input validation and stripping before
saving to these fields.
If this is approved in principle, I'd be happy to produce a diff against
the current code base.
I think this is very important to address before 3.0 is released as it has
a significant impact on theme and plugin developers.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/13051>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list