[wp-trac] [WordPress Trac] #19414: Filter 'kses_allowed_protocols' is only applied once in function wp_allowed_protocols() & function esc_url() returns empty string;

WordPress Trac wp-trac at lists.automattic.com
Fri Dec 2 15:43:45 UTC 2011


#19414: Filter 'kses_allowed_protocols' is only applied once in function
wp_allowed_protocols()  & function esc_url() returns empty string;
--------------------------+------------------------------
 Reporter:  Anatta        |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Security      |     Version:  3.3
 Severity:  major         |  Resolution:
 Keywords:  close         |
--------------------------+------------------------------
Changes (by duck_):

 * keywords:   => close


Comment:

 First off you can easily fix this by using the second argument,
 $protocols, of esc_url() in your call to it. This allows you to completely
 bypass wp_allowed_protocols().

 {{{
 esc_url( $url, array( 'javascript' ) )
 }}}

 The single call to apply_filters() was intentional, see #18268, for
 performance reasons. Also, it was impossible to filter the array of
 allowed protocols in esc_url() prior to 3.3 anyway, so no regression in
 your specific use case.

 P.S. depending on your code you might want to look into esc_js() and not
 just esc_url().

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/19414#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list