[wp-trac] [WordPress Trac] #16859: esc_url eats square brackets.
WordPress Trac
noreply at wordpress.org
Thu Feb 20 23:21:52 UTC 2014
#16859: esc_url eats square brackets.
------------------------------------+-----------------------------
Reporter: f00f | Owner: westi
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: Future Release
Component: Formatting | Version: 3.1
Severity: major | Resolution:
Keywords: has-patch dev-feedback | Focuses:
------------------------------------+-----------------------------
Comment (by gcorne):
I spent some time looking into this issue as well as #15936. When
sanitizing, validating, and escaping URLs, it seems that the most robust
solution is to break the url into its components, sanitize, and then
rebuild. [attachment:16859-03.2.patch 16859-03.2.patch] does this by
leveraging {{{parse_url}}} and then reconstructing the url after
sanitizing by following the psuedo code in RFC3986. By breaking the url
into its components, we can also easily add other rules. The solution
addresses issues with IPv6 literals by allowing {{{[}}} and {{{]}}} in the
host component and encodes brackets in the {{{path}}}, {{{query}}}, and
{{{fragment}}} segments. It feels a little funny doing this encoding here
because it seems to me that the url encoding is something that should be
happening elsewhere, but since right now the brackets do not function as
delimiters outside the host, i think it is okay. All existing tests pass
with this solution.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/16859#comment:27>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list