[wp-trac] [WordPress Trac] #32071: Function to generate safe & trusted URLs

WordPress Trac noreply at wordpress.org
Tue Jun 13 22:03:09 UTC 2017 

#32071: Function to generate safe & trusted URLs
-----------------------------+------------------------------
 Reporter:  johnjamesjacoby  |       Owner:
     Type:  enhancement      |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  General          |     Version:
 Severity:  normal           |  Resolution:
 Keywords:  has-patch        |     Focuses:
-----------------------------+------------------------------

Comment (by johnjamesjacoby):

 > I think `esc_url` doing HTML escaping is a bit dumb

 I agree with this statement – I just ran into this again working on a
 plugin.

 Core is surprisingly consistent as to how it wraps `wp_nonce_url()` in
 `esc_url()`; there are only a handful of places where the `&`
 replacement in `wp_nonce_url()` is actually necessary.

 [https://core.trac.wordpress.org/browser/trunk/src/wp-admin/users.php#L161
 users.php#L161] is an old-school @nacin top 40 classic for the ages,
 according to the Casey Kasem revision history.

 Otherwise, as dumb as it looks, it's working OK.

 `wp_nonce_url()` does seem, to me, like it's a function that doesn't know
 if it should `echo` or `return`, and so it escapes but doesn't output
 anything, which I don't like (at least use `_get_` in the name.)

 ----

 I think if anyone runs into this in the future and wants direction, my
 preferred approach would be to:

 * Introduce a new function that doesn't escape, doesn't swap the `&`,
 and handles only the adding of the query nonce to a URL
 * Use this new function all across everything where `wp_nonce_url()` is
 currently used
 * Replace query-string URL patterns with arrays using `add_query_arg()` –
 this is alot of code
 * Somehow convince everyone this is actually worth doing compared to
 leaving it be

 TL;DR - I think this can be closed either as wontfix or maybelater.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32071#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list