[wp-trac] [WordPress Trac] #24416: get_content_url() should not escape data

WordPress Trac noreply at wordpress.org
Sat May 25 04:08:50 UTC 2013


#24416: get_content_url() should not escape data
--------------------------+-----------------------------
 Reporter:  tollmanz      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Post Formats  |    Version:  trunk
 Severity:  normal        |   Keywords:
--------------------------+-----------------------------
 In `get_content_url()`, the URL is escaped with `esc_url_raw()`. In core,
 the function is used three times:

 * It is used twice in `post_formats_compat()`. The returned value is
 escaped with `esc_url()` after both uses.
 * It is used in `get_the_post_format_url()` as a last fallback to get a
 URL for a post. While the other URLs that are returned are escaped with
 `esc_url_raw()`, this is likely an incorrect use of `esc_url_raw()` as
 this function is probably not commonly used for saving the data to the
 database.

 `get_content_url()` should not escape data and instead place the
 responsibility of escaping on the code that calls the function. This
 allows it to be escaped specifically for the context in which the function
 is used. Additionally, given that this is more of a "template tag", it
 should probably not be using `esc_url_raw()` in the first place.

 I think it would be best to assume that `get_content_url()` returns the
 rawest data and functions calling it can clean it further.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/24416>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list