[wp-trac] [WordPress Trac] #24416: get_content_url() should not escape data
WordPress Trac
noreply at wordpress.org
Sat May 25 04:08:50 UTC 2013
#24416: get_content_url() should not escape data
--------------------------+-----------------------------
Reporter: tollmanz | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Post Formats | Version: trunk
Severity: normal | Keywords:
--------------------------+-----------------------------
In `get_content_url()`, the URL is escaped with `esc_url_raw()`. In core,
the function is used three times:
* It is used twice in `post_formats_compat()`. The returned value is
escaped with `esc_url()` after both uses.
* It is used in `get_the_post_format_url()` as a last fallback to get a
URL for a post. While the other URLs that are returned are escaped with
`esc_url_raw()`, this is likely an incorrect use of `esc_url_raw()` as
this function is probably not commonly used for saving the data to the
database.
`get_content_url()` should not escape data and instead place the
responsibility of escaping on the code that calls the function. This
allows it to be escaped specifically for the context in which the function
is used. Additionally, given that this is more of a "template tag", it
should probably not be using `esc_url_raw()` in the first place.
I think it would be best to assume that `get_content_url()` returns the
rawest data and functions calling it can clean it further.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24416>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list