[wp-trac] [WordPress Trac] #23266: Replace esc_attr() with esc_url() for form action URLs
WordPress Trac
noreply at wordpress.org
Tue Jan 22 21:49:15 UTC 2013
#23266: Replace esc_attr() with esc_url() for form action URLs
----------------------------+------------------
Reporter: SergeyBiryukov | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.6
Component: Formatting | Version:
Severity: normal | Resolution:
Keywords: has-patch |
----------------------------+------------------
Changes (by DrewAPicture):
* cc: DrewAPicture (added)
Comment:
+1. Probably wouldn't hurt to rope in some of the others that don't use
escaping at all such as in several Multisite files and all over the place
really.
I could only find a few instances where `esc_url()` was used in
conjunction with `admin_url()`, `self_admin_url()`, `site_url()` and the
like. Not sure if it's even needed.
Here's an ack of the files/lines lacking escaping or misusing `esc_attr()`
as already covered in @SergeyBiryukov's patch:
https://gist.github.com/4598774
--
Ticket URL: <http://core.trac.wordpress.org/ticket/23266#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list