[wp-trac] [WordPress Trac] #13051: admin_url() and site_url() shouldn't need esc_url()

WordPress Trac wp-trac at lists.automattic.com
Fri Apr 23 04:54:21 UTC 2010


#13051: admin_url() and site_url() shouldn't need esc_url()
--------------------------+-------------------------------------------------
 Reporter:  alexkingorg   |       Owner:  ryan       
     Type:  defect (bug)  |      Status:  new        
 Priority:  normal        |   Milestone:  3.0        
Component:  Security      |     Version:  3.0        
 Severity:  normal        |    Keywords:  2nd-opinion
--------------------------+-------------------------------------------------
Changes (by alexkingorg):

  * owner:  => ryan
  * type:  enhancement => defect (bug)
  * component:  Formatting => Security


Comment:

 I don't see how passing a sanitized URL to the wp_nonce_url function hurts
 anything.

 The issue I'm trying to raise here is that the results of the built in
 *_url() functions should be safe to use in attributes without additional
 escaping.

 Every plugin and theme I can think of offhand already treats the functions
 this way, and the WP admin code did as well prior to 3.0. Rather than
 requiring all plugins and themes to add additional wrapper functions, I
 think that the wrapper functions added in wp-admin in 3.0 should be
 removed and the output of the *_url() functions should be made safe to use
 without them.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/13051#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list