[wp-trac] [WordPress Trac] #26803: get_bloginfo() doesn't sanitize URLs, even when $filter is 'display'
WordPress Trac
noreply at wordpress.org
Thu Jan 9 22:01:10 UTC 2014
#26803: get_bloginfo() doesn't sanitize URLs, even when $filter is 'display'
--------------------------+-----------------------------
Reporter: jdgrimes | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 1.5.1.1
Severity: normal | Keywords:
--------------------------+-----------------------------
The `get_bloginfo()` function returns two main types of content: URLs, and
everything else. The function has a `$filter` parameter, and when this is
`'display'` the returned info is automatically sanitized, by being passed
through the `'bloginfo'` filter (which
[https://core.trac.wordpress.org/browser/trunk/src/wp-includes/default-
filters.php#L93 by default] applies `wptexturize()`, `convert_chars()`,
and `esc_html()`). However, the URLs are treated separately (via #1410),
and are passed through the `'bloginfo_url'` filter instead (as noted by
@dd32 [https://core.trac.wordpress.org/ticket/16408#comment:3 here]).
In short, the URLs returned by `get_bloginfo()` are unsanitized (and
should be passed through `esc_url()`) even when the `$filter` is
`'display'`, as when the info is being directly output by
[https://core.trac.wordpress.org/browser/trunk/src/wp-includes/general-
template.php#L410 bloginfo()].
Related:
#1410
#2643
#16408
--
Ticket URL: <https://core.trac.wordpress.org/ticket/26803>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list