[wp-trac] [WordPress Trac] #13051: admin_url() and site_url() shouldn't need esc_url()
WordPress Trac
wp-trac at lists.automattic.com
Fri Apr 23 04:54:21 UTC 2010
#13051: admin_url() and site_url() shouldn't need esc_url()
--------------------------+-------------------------------------------------
Reporter: alexkingorg | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Security | Version: 3.0
Severity: normal | Keywords: 2nd-opinion
--------------------------+-------------------------------------------------
Changes (by alexkingorg):
* owner: => ryan
* type: enhancement => defect (bug)
* component: Formatting => Security
Comment:
I don't see how passing a sanitized URL to the wp_nonce_url function hurts
anything.
The issue I'm trying to raise here is that the results of the built in
*_url() functions should be safe to use in attributes without additional
escaping.
Every plugin and theme I can think of offhand already treats the functions
this way, and the WP admin code did as well prior to 3.0. Rather than
requiring all plugins and themes to add additional wrapper functions, I
think that the wrapper functions added in wp-admin in 3.0 should be
removed and the output of the *_url() functions should be made safe to use
without them.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/13051#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list