[buddypress-trac] [BuddyPress Trac] #9312: Avatar AJAX responses use esc_url() instead of esc_url_raw(), breaking JavaScript URL handling
buddypress-trac
noreply at wordpress.org
Wed Dec 17 14:13:24 UTC 2025
#9312: Avatar AJAX responses use esc_url() instead of esc_url_raw(), breaking
JavaScript URL handling
--------------------------+--------------------------
Reporter: GaryJ | Owner: espellcaste
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 14.5.0
Component: Core | Version:
Severity: normal | Resolution: fixed
Keywords: has-patch |
--------------------------+--------------------------
Changes (by espellcaste):
* owner: (none) => espellcaste
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"14156" 14156]:
{{{
#!CommitTicketReference repository="" revision="14156"
Replace `esc_url()` with `esc_url_raw()` for almost all avatar URLs
returned in AJAX/JSON responses.
This change addresses an issue where a site modifies the url returned by
`bp_core_fetch_avatar`, and those URLs are returned as image src
attributes.
In the process of escaping the url, `esc_url` converts those attributes
becoming malformed. `esc_url_raw()` sanitizes the url without HTML entity
encoding, which is correct for non-HTML contexts.
Since BuddyPress DOES NOT return the image src attributes by default as
part of the url, this change should have no impact to regular users.
Unless the site is purposefully changing them (the use case here is an
image CDN that returns the image [on demand] using the src attributes as
image params in the avatar url).
Originally at [12338].
Props GaryJ.
Closes https://github.com/buddypress/buddypress/pull/427
Fixes #9312 (trunk)
}}}
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/9312#comment:8>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list