[wp-trac] [WordPress Trac] #31080: GUID should not always be escaped for url in feeds

WordPress Trac noreply at wordpress.org
Mon Apr 20 20:54:21 UTC 2015

#31080: GUID should not always be escaped for url in feeds
 Reporter:  CheeseDurger      |       Owner:  stevenkword
     Type:  enhancement       |      Status:  closed
 Priority:  normal            |   Milestone:  4.2
Component:  Feeds             |     Version:  trunk
 Severity:  normal            |  Resolution:  fixed
 Keywords:  has-patch commit  |     Focuses:  template

Comment (by nacin):

 I'll also add this was done as defense in depth. As in, we now sanitize
 GUIDs on save, and also added escaping in case it was exploited before
 update. In that case, we could ''hypothetically'' remove the escaping
 years after the fact. But that wouldn't actually fix anything, as the
 GUIDs would still go through `esc_url_raw()` on save, and might in certain
 contexts still need to go through `esc_url()` on display. This is because
 they are often used directly as URLs for historical reasons.

 This change at least allows for someone to unhook all of it, both save and

Ticket URL: <https://core.trac.wordpress.org/ticket/31080#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list