[wp-trac] [WordPress Trac] #19414: Filter 'kses_allowed_protocols' is only applied once in function wp_allowed_protocols() & function esc_url() returns empty string;
WordPress Trac
wp-trac at lists.automattic.com
Fri Dec 2 15:43:45 UTC 2011
#19414: Filter 'kses_allowed_protocols' is only applied once in function
wp_allowed_protocols() & function esc_url() returns empty string;
--------------------------+------------------------------
Reporter: Anatta | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.3
Severity: major | Resolution:
Keywords: close |
--------------------------+------------------------------
Changes (by duck_):
* keywords: => close
Comment:
First off you can easily fix this by using the second argument,
$protocols, of esc_url() in your call to it. This allows you to completely
bypass wp_allowed_protocols().
{{{
esc_url( $url, array( 'javascript' ) )
}}}
The single call to apply_filters() was intentional, see #18268, for
performance reasons. Also, it was impossible to filter the array of
allowed protocols in esc_url() prior to 3.3 anyway, so no regression in
your specific use case.
P.S. depending on your code you might want to look into esc_js() and not
just esc_url().
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19414#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list