[wp-trac] [WordPress Trac] #56140: Need to use esc_url escaping function instead of esc_attr.
WordPress Trac
noreply at wordpress.org
Tue Jul 5 08:44:10 UTC 2022
#56140: Need to use esc_url escaping function instead of esc_attr.
-----------------------------------+------------------------------
Reporter: vishitshah | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version:
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion | Focuses:
-----------------------------------+------------------------------
Comment (by costdev):
The docs for `esc_url()` state:
Always use esc_url when sanitizing URLs (in text nodes, attribute nodes
or anywhere else).
[https://developer.wordpress.org/reference/functions/esc_url/ Ref]
This URL is being displayed and is in an attribute node, so `esc_url()` is
appropriate. When submitted, it should go through `sanitize_url()`* prior
to being sent to the database.
*`sanitize_url()` is the preferred function for sanitizing a URL for the
database and redirection as of 6.1 in changeset [53452].
I am unaware of edge cases that may exist. As the field is intended for a
URL, I'm having difficulty envisaging an alternative yet valid use case.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56140#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list