[wp-trac] [WordPress Trac] #58025: Wrong Escaping Function Was Used
WordPress Trac
noreply at wordpress.org
Thu Mar 30 15:12:31 UTC 2023
#58025: Wrong Escaping Function Was Used
--------------------------+---------------------
Reporter: chintan1896 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.3
Component: Comments | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
--------------------------+---------------------
Changes (by SergeyBiryukov):
* component: General => Comments
* milestone: Awaiting Review => 6.3
Comment:
Good catch! Some history here:
* [9112] added `wp_specialchars()` to `comment_reply_link()` and
`cancel_comment_reply_link()`.
* [9406] moved the code to `get_comment_reply_link()` and
`get_cancel_comment_reply_link()`.
* [11011] replaced `wp_specialchars()` with `clean_url()`, but only in
`get_comment_reply_link()`.
* [11380] updated the remaining `wp_specialchars()` to `esc_html()` in
`get_cancel_comment_reply_link()`.
* [11383] updated `clean_url()` to `esc_url()` in
`get_comment_reply_link()`.
In short, `esc_url()` is indeed the correct function to use here, but it
was missed in [11011], and subsequent renamings did not catch that.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58025#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list