[wp-trac] [WordPress Trac] #13051: admin_url() and site_url() shouldn't need esc_url()

WordPress Trac wp-trac at lists.automattic.com
Mon Apr 19 16:57:13 UTC 2010


#13051: admin_url() and site_url() shouldn't need esc_url()
----------------------------+-----------------------------------------------
 Reporter:  alexkingorg     |       Owner:     
     Type:  defect (bug)    |      Status:  new
 Priority:  high            |   Milestone:  3.0
Component:  Administration  |     Version:  3.0
 Severity:  major           |    Keywords:     
----------------------------+-----------------------------------------------
 I noticed that the 3.0 codeline includes the addition of esc_url() around
 admin_url() like:

 esc_url(admin_url());

 I believe that admin_url() and site_url() should be "safe" functions to
 use and should not need escaping. Perhaps they should call esc_url()
 internally?

 I cannot think of a viable reason to allow unsafe results from admin_url()
 and site_url(), though perhaps there are some internationalization edge
 cases that I'm not aware of.

 If you really need raw access to an unsafe value in wp_options, you can
 use get_option() to get to it.

 Another issue to consider here is input validation and stripping before
 saving to these fields.

 If this is approved in principle, I'd be happy to produce a diff against
 the current code base.

 I think this is very important to address before 3.0 is released as it has
 a significant impact on theme and plugin developers.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/13051>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list