[wp-trac] [WordPress Trac] #65397: Media: Use esc_url() instead of esc_attr() for download link href in attachment_fields_to_edit
WordPress Trac
noreply at wordpress.org
Tue Jun 2 23:00:58 UTC 2026
#65397: Media: Use esc_url() instead of esc_attr() for download link href in
attachment_fields_to_edit
--------------------------+-------------------------------------
Reporter: thisismyurl | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Media | Version: trunk
Severity: normal | Keywords: has-patch needs-testing
Focuses: |
--------------------------+-------------------------------------
In `wp-admin/includes/media.php`, the "Download file" link in the
attachment
edit sidebar uses `esc_attr()` to escape the href attribute value:
<a href="<?php echo esc_attr( $att_url ); ?>" download>
`$att_url` is the return value of `wp_get_attachment_url()` — a URL.
The correct escaping function for a URL in an href attribute is
`esc_url()`,
which validates and normalises the URL rather than only HTML-encoding it.
The input field directly above this line (line 3383) correctly uses
`esc_attr()` for the text input value — only the href on the download
link needs the change.
Fix: replace `esc_attr( $att_url )` with `esc_url( $att_url )` on the
download anchor href.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/65397>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list