[wp-trac] [WordPress Trac] #55852: Reverse wrapping of `sanitize_url()` and `esc_url_raw()`.

WordPress Trac noreply at wordpress.org
Tue May 31 15:16:15 UTC 2022

#55852: Reverse wrapping of `sanitize_url()` and `esc_url_raw()`.
 Reporter:  peterwilsoncc             |       Owner:  SergeyBiryukov
     Type:  enhancement               |      Status:  reviewing
 Priority:  normal                    |   Milestone:  6.1
Component:  Formatting                |     Version:
 Severity:  normal                    |  Resolution:
 Keywords:  good-first-bug has-patch  |     Focuses:

Comment (by SergeyBiryukov):

 In [changeset:"53452" 53452]:
 #!CommitTicketReference repository="" revision="53452"
 Formatting: Make `sanitize_url()` the recommended function for sanitizing
 a URL.

 A general security rule is "Sanitize when you save, escape when you echo".

 In WordPress 5.9, `sanitize_url()` was un-deprecated in order to better
 align with the naming of other sanitizing functions, while still being an
 alias for `esc_url_raw()`.

 This commit reverses the order and turns `esc_url_raw()` into a wrapper
 for `sanitize_url()`, making the latter the canonical function call and
 aiming to improve performance by reducing the number of function calls
 required when using the recommended technique.

 Follow-up to [11383], [13096], [51597].

 Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
 See #55852.

Ticket URL: <https://core.trac.wordpress.org/ticket/55852#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list