[buddypress-trac] [BuddyPress Trac] #9312: Avatar AJAX responses use esc_url() instead of esc_url_raw(), breaking JavaScript URL handling
buddypress-trac
noreply at wordpress.org
Tue Dec 16 20:36:59 UTC 2025
#9312: Avatar AJAX responses use esc_url() instead of esc_url_raw(), breaking
JavaScript URL handling
--------------------------+---------------------
Reporter: GaryJ | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 14.5.0
Component: Core | Version:
Severity: normal | Resolution:
Keywords: needs-patch |
--------------------------+---------------------
Comment (by espellcaste):
I do have a buddypress setup on a vip, local, instance but can't replicate
it. :/ I'm familiar with VIP Proton CDN. But maybe I'm missing some plugin
to hook the CDN locally.
My guess is that there are might be some code hooking into
`bp_core_fetch_avatar_url` and changing the values to use query params
instead. And our `esc_url` escaping is affecting that.
Which would make sense why this has not been an issue until now.
I'll create a patch. The change to `esc_url_raw` won't create an issue to
everyone else.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/9312#comment:5>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list