[wp-trac] [WordPress Trac] #32071: Function to generate safe & trusted URLs

Wed Apr 22 23:06:33 UTC 2015

#32071: Function to generate safe & trusted URLs
-----------------------------+------------------------------
 Reporter:  johnjamesjacoby  |       Owner:
     Type:  enhancement      |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  General          |     Version:
 Severity:  normal           |  Resolution:
 Keywords:  has-patch        |     Focuses:
-----------------------------+------------------------------

Comment (by johnjamesjacoby):

 Replying to [comment:1 johnbillion]:
 > I'm not a fan of escaping inside functions. Developers should become
 familiar with late escaping. I think a function like this introduces yet
 more inconsistency and gives the wrong impression that you can trust the
 output of some functions.

 I don't disagree about late escaping, but I disagree strongly with it
 being less consistent.

 I can think of several functions without looking that escape and echo
 their unescaped equivalent: `the_permalink()`, `comments_link()`, and a
 bunch of feed functions. Regardless of these examples, it's semantics
 whether it's `esc_url()` or `wp_generate_url()` or some other function
 that's doing it.

 The mechanism through which late-escaping occurs matters much less to me
 than being confident that specific functions perform specific tasks given
 specific parameters with sane defaults and a reasonable ability to
 override.

 I want a way to reduce the number of permutations of how URL's are
 constructed down to a single function, to avoid differences like the
 following examples:

 {{{
 bp_core_redirect( add_query_arg( array( 'action' => 'bpnoaccess' ),
 wp_login_url( $redirect ) ) );
 }}}

 {{{
 echo esc_url( add_query_arg( array( 'page' => 'bp-components', 'action' =>
 'all'      ), bp_get_admin_url( $page ) ) );
 }}}

 {{{
 esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-components'
 ), 'admin.php' ) ) )
 }}}

 {{{
 echo esc_url( wp_nonce_url( add_query_arg( array( 'action' => 'do_delete',
 'gid' => implode( ',', $gids ) ), $base_url ), 'bp-groups-delete' ) )
 }}}

 And probably one of my favorites:

 {{{
 esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode(
 wp_unslash( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'users.php',
 'deleteuser' ) . '&action=deleteuser&id=' . $user->ID ) ) )
 }}}

 If nothing else, I'll update the patch without the escaping bit at the
 end. My point still stands that developers are forced to nest too much
 complex logic into a series of somewhat unpredictable functions just to
 generate the only thing that connects one page on the web to another.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32071#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform