[wp-trac] [WordPress Trac] #63351: Incorrect usage of esc_attr() for URL escaping
WordPress Trac
noreply at wordpress.org
Mon Sep 15 18:58:01 UTC 2025
#63351: Incorrect usage of esc_attr() for URL escaping
---------------------------+-----------------------------------------------
Reporter: hardik2221 | Owner: SergeyBiryukov
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 6.9
Component: Menus | Version:
Severity: normal | Resolution: fixed
Keywords: has-patch | Focuses: administration, coding-standards
has-test-info |
---------------------------+-----------------------------------------------
Comment (by dilip2615):
== Patch Testing Report
Patch tested: 63351.diff (uses esc_url() with correct $menu_item->url)
Environment
- WordPress: 6.9-alpha-60093-src
- PHP: 8.2.28
- Server: nginx/1.29.1
- Database: mysqli (Server: 8.4.6 / Client: mysqlnd 8.2.28)
- Browser: Chrome 140.0.0.0
- OS: Windows 10/11
- Theme: Twenty Twenty 2.9
- MU Plugins: None activated
- Plugins:
* Test Reports 1.2.0
Steps
1) Replaced esc_attr() with esc_url() and corrected variable from
$menu_item->url in class-walker-nav-menu-edit.php.
2) Appearance → Menus → Custom Links: tested
- https://example.com/?a=1&b=2
- http://example.com/über
- javascript:alert(1)
3) Verified input value via DevTools.
Results
- Valid/UTF-8 URLs render correctly in the value attribute (URL-escaped,
no double-escape).
- Invalid scheme sanitized on save.
- PHPUnit default suite: OK.
Conclusion
✅ Patch behaves as expected. (URL-specific escaping + correct variable
name)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63351#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list