[buddypress-trac] [BuddyPress Trac] #9312: Avatar AJAX responses use esc_url() instead of esc_url_raw(), breaking JavaScript URL handling

buddypress-trac noreply at wordpress.org
Tue Dec 16 13:32:31 UTC 2025 

#9312: Avatar AJAX responses use esc_url() instead of esc_url_raw(), breaking
JavaScript URL handling
--------------------------+-----------------------------
 Reporter:  GaryJ         |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Core          |    Version:
 Severity:  normal        |   Keywords:  needs-patch
--------------------------+-----------------------------
 Several AJAX handlers in `bp-core/bp-core-avatars.php` use `esc_url()` to
 sanitize avatar URLs in JSON responses. This causes issues when JavaScript
 sets these URLs as image src attributes, because `esc_url()` converts `&`
 to `&` (HTML entity), which becomes malformed when used in
 JavaScript.

 == Steps to Reproduce

   1. Upload a profile avatar with crop parameters
   2. After cropping, inspect the avatar image element before page reload
   3. The src attribute contains `&` instead of `&`, making query
 parameters invalid

 **Before reload** (broken):

 {{{
 src="...jpg?w=450&crop=113px,112px,225px,225px&resize=150,150"
 }}}


 **After reload** (correct):

 {{{
 src="...jpg?w=450&crop=113px,112px,225px,225px&resize=150,150"
 }}}

 ==  Root Cause

 `esc_url()` is designed for HTML output and converts `&` to `&`. When
 returned in a JSON response and used by JavaScript, the HTML entity is
 treated as literal characters, breaking the URL.

 ==  Affected Code

 `bp-core/bp-core-avatars.php`:
   - Line 921 (`bp_avatar_ajax_delete`)
   - Line 1421 (`bp_avatar_ajax_set - webcam`)
   - Line 1485 (`bp_avatar_ajax_set - crop`)
   - Line 2502 (`bp_avatar_ajax_recycle_previous_avatar`)


 ==  Proposed Fix

 Replace `esc_url()` with `esc_url_raw()` for all avatar URLs returned in
 AJAX/JSON responses. `esc_url_raw()` sanitizes without HTML entity
 encoding, which is correct for non-HTML contexts.

 {{{
 // Before
 'avatar' => esc_url( bp_core_fetch_avatar( ... ) ),

 // After
 'avatar' => esc_url_raw( bp_core_fetch_avatar( ... ) ),
 }}}

 == Environment

   - BuddyPress 14.4.0
   - WordPress 6.7+

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/9312>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list