[wp-trac] [WordPress Trac] #64177: Command Palette: Encoded ampersands in URLs
WordPress Trac
noreply at wordpress.org
Tue Nov 4 12:53:23 UTC 2025
#64177: Command Palette: Encoded ampersands in URLs
--------------------------+------------------------
Reporter: swissspidy | Owner: wildworks
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 6.9
Component: General | Version: trunk
Severity: normal | Resolution: fixed
Keywords: has-patch | Focuses:
--------------------------+------------------------
Comment (by dmsnell):
@wildworks if we escape `$menu_slug` beforehand we shouldn’t have the
reported problem to begin with, because `urlencode()` will replace `&`
with `%26`. though I might have been confused because I thought the
problem was when we encountered menu slugs like `One & Two`. Either way,
because that second clause is directly creating the URL and passing
`$menu_slug` without percent-encoding we can predict this issue, even if
it’s not what was reported here.
that would leave //other// related issues which are caused by the fact
that the generated URL runs through `esc_url()` way before it’s sent to
the browser (why we want late-escaping…). it seems like we want actual
URLs, like the ones we would type into the address bar in a browser, to be
printed in the `SCRIPT` tag as serialized into JSON.
to do this we would need to undo what `esc_url()` did, and so therefore
yes, I suggest that we run it through
`WP_HTML_Decoder::decode_attribute()`.
this stuff is so complicated it’s easy to overlook the tiny details.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64177#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list