[wp-trac] [WordPress Trac] #56160: Deprecate wp_sanitize_redirect

WordPress Trac noreply at wordpress.org
Wed Jul 6 15:12:13 UTC 2022

#56160: Deprecate wp_sanitize_redirect
 Reporter:  malthert     |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Security     |     Version:  2.3
 Severity:  normal       |  Resolution:
 Keywords:  2nd-opinion  |     Focuses:
Changes (by costdev):

 * keywords:   => 2nd-opinion
 * version:  trunk => 2.3


 Hi @malthert, thanks for opening this ticket. I've left a few thoughts


 [53455] changed `esc_url_raw()` calls to `sanitize_url()` as this is now
 the recommended function for sanitizing a URL as of WordPress 6.1.


 > All places that currently use it are better served with esc_url_raw and
 there seems to be no correct usage of it anywhere (most plugins use it
 where esc_url_raw should be used instead).

 For discussion, posterity, and for making committers' lives easier should
 this get support, could you provide your thoughts on why `esc_url_raw()`
 serves some of these usages better, or where it's more appropriate than


 An impact analysis is an important part of any deprecation. I'll kick it
 off with some numbers:

 - There are [https://wpdirectory.net/search/01G7A010J1RJNHRWGCFZGY7R2D 309
 plugin results] for `sanitize_url_redirect\(`.
 - There are [https://wpdirectory.net/search/01G7A03793ZHAF11HJ743ZMA1F 0
 theme results] for `sanitize_url_redirect\(`.
 - There are [https://github.com/search?q=wp_sanitize_redirect&type=code
 99k+ results in GitHub], but 10 pages in, it seemed to be entirely within
 PHPUnit tests. I'll admit that I stopped looking after page 10.


 I've added the `2nd-opinion` keyword to draw attention to this ticket.

Ticket URL: <https://core.trac.wordpress.org/ticket/56160#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list