[wp-trac] [WordPress Trac] #13051: admin_url() and site_url() shouldn't need esc_url()
WordPress Trac
noreply at wordpress.org
Wed Sep 2 12:25:58 UTC 2015
#13051: admin_url() and site_url() shouldn't need esc_url()
-------------------------------+----------------------
Reporter: alexkingorg | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version: 3.0
Severity: normal | Resolution: wontfix
Keywords: needs-patch close | Focuses:
-------------------------------+----------------------
Changes (by johnbillion):
* keywords: needs-patch 2nd-opinion => needs-patch close
* status: assigned => closed
* resolution: => wontfix
* milestone: Future Release =>
Comment:
This is definitely a wontfix at this point.
`esc_url()` is used to escape URLs so they are safe for outputting into
HTML. Applying `esc_url()` to functions such as `site_url()` and
`admin_url()` means that everything not in the context of HTML will get a
URL with encoded ampersands, which is not desirable at best, and breaks
things at worst.
Consider this:
`wp_redirect( admin_url( 'tools.php?page=foo' ) );`
This is a common pattern not only in plugins but in core, too. Adding
`esc_url()` to `admin_url()` breaks this piece of code.
Even if a `$context` parameter was added to `site_url()`, `admin_url()`
etc in order to control the context passed to `esc_url()` (which is a
terrible design pattern in itself), the context would have to default to
something other than `display` for backwards compatibility, which mostly
negates the point of adding `esc_url()` to these functions in the first
place.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/13051#comment:29>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list