[wp-trac] [WordPress Trac] #39669: Appearance/Menu, Custom Link: bad URL value sanitation

WordPress Trac noreply at wordpress.org
Fri Apr 5 16:51:49 UTC 2019

#39669: Appearance/Menu, Custom Link: bad URL value sanitation
 Reporter:  TRILOS        |       Owner:  (none)
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Menus         |     Version:
 Severity:  normal        |  Resolution:  wontfix
 Keywords:                |     Focuses:
Changes (by welcher):

 * status:  reopened => closed
 * resolution:   => wontfix
 * milestone:  Awaiting Review =>


 Replying to [comment:7 TRILOS]:
 > Thank you for these informations. In the case I noted I had no media
 file to refer to, but a relative path: I wanted to link to a similar index
 page in a different language, placed in a path of e.g. /en/ instead of
 /de/. So if a WP component isn´t able to check this on safety, then it
 should be able and it is no edge case, but a essential case of handling
 syntacical correct URLs, isn´t it?

 Allowing for relative paths will require that we bypass the `esc_url` call
 and by doing so, creates a security vulnerability by allowing a user to
 input anything into that field.

 A relative path such as `../my-translated-page` could be an actual page in
 WordPress or potentially a directory that contains a malicious script. The
 code cannot determine the intent of the URL being input.

 Closing as #wont-fix

Ticket URL: <https://core.trac.wordpress.org/ticket/39669#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list