[wp-trac] [WordPress Trac] #60864: URL sanitizing strips valid characters instead of encoding, documented use is invalid
WordPress Trac
noreply at wordpress.org
Sun Jan 4 08:16:02 UTC 2026
#60864: URL sanitizing strips valid characters instead of encoding, documented use
is invalid
--------------------------------------+------------------------------
Reporter: kkmuffme | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+------------------------------
Comment (by dmsnell):
@kkmuffme looks like I missed `wp_sanitize_redirect()` when we
[https://make.wordpress.org/core/2025/11/18/modernizing-utf-8-support-in-
wordpress-6-9/ updated UTF-8 support in WordPress 6.9].
Perhaps you might look that over and see if you want to update the patch.
I appreciate the comment about HTML4 but I suspect it’s not necessary,
especially not to link to the old HTML4 specs. Is the change in line
4495/4506 meaningful? It looks like it might just move around some
characters and shows up as a changed line, but maybe I’m overlooking
something. If it’s not different semantically, can we avoid rearranging
the characters so they don’t appear in the diff?
Can you speak to the differentiation in here of using the term URI instead
of URL? Can you also verify that the changes will not mistakenly apply to
parts of a URL that should not be transformed?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60864#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list