[wp-trac] [WordPress Trac] #20771: esc_url() instead of esc_html() in wp_nonce_url()
WordPress Trac
noreply at wordpress.org
Tue Feb 23 23:37:41 UTC 2021
#20771: esc_url() instead of esc_html() in wp_nonce_url()
------------------------------------------+--------------------------
Reporter: jkudish | Owner: johnbillion
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Formatting | Version: 3.4
Severity: normal | Resolution: wontfix
Keywords: needs-unit-tests needs-patch | Focuses:
------------------------------------------+--------------------------
Comment (by juliobox):
Why not adding a new param in this function?
wp_nonce_url( $actionurl, $action = -1, $name = '_wpnonce', $context =
'display' );
When $context is 'display', the default value (hello retrocompat), we let
the esc_html() since it's for displaying.
But it's not for display, like "redirect", esc_url() instead.
And if no context is given, no sanitize.
I think that way everyone is happy, we can still use it, retrocompat ok
but still with a new possibility to use it for redirection without
creating a new one or break anything.
Thougths?
cc @johnbillion @johnjamesjacoby
--
Ticket URL: <https://core.trac.wordpress.org/ticket/20771#comment:24>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list