[wp-trac] [WordPress Trac] #65397: Use esc_url() instead of esc_attr() for download link href in attachment_submitbox_metadata()

WordPress Trac noreply at wordpress.org
Thu Jun 4 12:22:41 UTC 2026 

#65397: Use esc_url() instead of esc_attr() for download link href in
attachment_submitbox_metadata()
-------------------------------------------------+-------------------------
 Reporter:  thisismyurl                          |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  7.1
Component:  Media                                |     Version:  6.2
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch needs-testing has-         |     Focuses:
  screenshots                                    |  administration
-------------------------------------------------+-------------------------
Changes (by gazipress):

 * keywords:  has-patch needs-testing => has-patch needs-testing has-
     screenshots


Comment:

 == Test Report
 Patch tested: REPLACE_WITH_PATCH_URL

 === Environment
 - WordPress: 7.1-alpha-62161-src
 - Subdirectory: No
 - PHP: 8.3.31
 - Server: nginx/1.31.1
 - Database: mysqli (Server: 9.7.0 / Client: mysqlnd 8.3.31)
 - Browser: Chrome 148.0.0.0
 - OS: macOS
 - Theme: Twenty Twenty-Five 1.5
 - MU Plugins: None activated
 - Plugins:
   * Test Reports 1.3.0

 === Steps taken

 ✅ Patch is solving the problem

 1. Applied the patch.
 2. Opened WordPress admin.
 3. Went to Media → Library.
 4. Switched to list view.
 5. Uploaded test attachments using different file types, including an
 image, PDF, DOCX, and CSV file.
 6. Opened each attachment edit screen.
 7. Checked the attachment metadata area where the file URL/download link
 is displayed.
 8. Clicked the download/file URL link for each attachment and confirmed
 that the file opened or downloaded correctly.
 9. Inspected the links in Chrome DevTools and confirmed that the href
 attributes contained valid escaped URLs.
 10. Repeated the test with a filename containing spaces and special
 characters, for example: image test ąćę & final (1).jpg.
 11. Confirmed that the generated href was still valid and the file
 URL/download link worked correctly.

 === Expected result
 - The attachment file URL/download link should work correctly.
 - The href attribute should contain a valid escaped URL.
 - The patch should use esc_url() for the href value returned by
 wp_get_attachment_url().

 === Additional Notes
 - Tested with a standard image attachment and an image filename containing
 spaces and special characters.

 === Screenshots/Screencast with results

 Screenshot/Screencast after:

 1. Image attachment with a standard filename.

 https://core.trac.wordpress.org/attachment/ticket/65397/test-photo.png

 2. PDF attachment.
 https://core.trac.wordpress.org/attachment/ticket/65397/test-pdf.png

 3. ZIP attachment.
 https://core.trac.wordpress.org/attachment/ticket/65397/test-zip.png

 4. Image attachment with spaces and special characters in the filename:
 image test ąćę & final (1).jpg
 https://core.trac.wordpress.org/attachment/ticket/65397/test-special-
 characters.png

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/65397#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list