[wp-trac] [WordPress Trac] #21974: esc_url() doesn't allow protocol-relative URLs with colons
WordPress Trac
noreply at wordpress.org
Wed Apr 10 17:18:27 UTC 2013
#21974: esc_url() doesn't allow protocol-relative URLs with colons
----------------------------+------------------
Reporter: SergeyBiryukov | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.6
Component: Formatting | Version:
Severity: normal | Resolution:
Keywords: has-patch |
----------------------------+------------------
Changes (by SergeyBiryukov):
* milestone: Future Release => 3.6
Comment:
Replying to [comment:3 nacin]:
> Technically, a colon is a "reserved" character which means outside of
its official use, it must be encoded.
An encoded colon (`:` or `:`) doesn't work either.
`wp_kses_bad_protocol_once()` splits by any of those values: [[BR]]
http://core.trac.wordpress.org/browser/tags/3.5.1/wp-
includes/kses.php#L1053
And `esc_url()` still returns an empty string.
I guess we shouldn't call `wp_kses_bad_protocol()` at all for a relative
URL. Refreshed the patch.
[attachment:21974.2.patch] just fixes the issue.
[attachment:21974.3.patch] also skips the `strtolower()` check, which is
redundant in this case.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21974#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list