[wp-trac] [WordPress Trac] #13051: admin_url() and site_url() shouldn't need esc_url()

WordPress Trac noreply at wordpress.org
Wed Sep 2 12:25:58 UTC 2015


#13051: admin_url() and site_url() shouldn't need esc_url()
-------------------------------+----------------------
 Reporter:  alexkingorg        |       Owner:
     Type:  defect (bug)       |      Status:  closed
 Priority:  normal             |   Milestone:
Component:  Security           |     Version:  3.0
 Severity:  normal             |  Resolution:  wontfix
 Keywords:  needs-patch close  |     Focuses:
-------------------------------+----------------------
Changes (by johnbillion):

 * keywords:  needs-patch 2nd-opinion => needs-patch close
 * status:  assigned => closed
 * resolution:   => wontfix
 * milestone:  Future Release =>


Comment:

 This is definitely a wontfix at this point.

 `esc_url()` is used to escape URLs so they are safe for outputting into
 HTML. Applying `esc_url()` to functions such as `site_url()` and
 `admin_url()` means that everything not in the context of HTML will get a
 URL with encoded ampersands, which is not desirable at best, and breaks
 things at worst.

 Consider this:

 `wp_redirect( admin_url( 'tools.php?page=foo' ) );`

 This is a common pattern not only in plugins but in core, too. Adding
 `esc_url()` to `admin_url()` breaks this piece of code.

 Even if a `$context` parameter was added to `site_url()`, `admin_url()`
 etc in order to control the context passed to `esc_url()` (which is a
 terrible design pattern in itself), the context would have to default to
 something other than `display` for backwards compatibility, which mostly
 negates the point of adding `esc_url()` to these functions in the first
 place.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/13051#comment:29>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list