[wp-trac] [WordPress Trac] #24417: get_the_post_format_url() should not escape data
WordPress Trac
noreply at wordpress.org
Wed May 29 17:14:12 UTC 2013
#24417: get_the_post_format_url() should not escape data
--------------------------+----------------------
Reporter: tollmanz | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Post Formats | Version: trunk
Severity: normal | Resolution: wontfix
Keywords: has-patch |
--------------------------+----------------------
Comment (by tollmanz):
In keeping with the idea of escaping data late, doesn't it seem like
escaping in this function is escaping too early? In the each of the 3
usages of `get_the_post_format_url()` in core (and this includes in the
core themes), the function is escaped again after it is called. It seems
unnecessary to add in excessive escaping functions. It makes sense that
this function should not escape the data and instead leave it to the
calling function.
> If we had to do functions like get_permalink() over again, we'd escape
almost everywhere — and at the very least, we should esc_url_raw() where
we can.
Can you expand on this? I definitely understand the need for good security
in WordPress core and see that this would help safe guard 3rd party
extension developers; however, I think that much of that responsibility
needs to fall on the developers. They need to ensure the safety of their
works.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24417#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list