Deprecate sanitize_url() and clean_url() in favor of esc_url_raw() and esc_url()

git-svn-id: http://svn.automattic.com/wordpress/trunk@11383 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2009-05-18 16:00:33 +00:00 · 2009-05-18 16:00:33 +00:00 · 3ebf837ced
parent 05c7b40a29
commit 3ebf837ced
45 changed files with 159 additions and 121 deletions
--- a/wp-admin/admin-ajax.php
+++ b/wp-admin/admin-ajax.php
@ -132,7 +132,7 @@ function _wp_ajax_delete_comment_response( $comment_id ) {
 	$total = (int) @$_POST['_total'];
 	$per_page = (int) @$_POST['_per_page'];
 	$page = (int) @$_POST['_page'];
-	$url = clean_url( @$_POST['_url'], null, 'url' );
+	$url = esc_url_raw( @$_POST['_url'] );
 	// JS didn't send us everything we need to know. Just die with success message
 	if ( !$total || !$per_page || !$page || !$url )
 		die( (string) time() );
--- a/wp-admin/custom-header.php
+++ b/wp-admin/custom-header.php
@ -278,7 +278,7 @@ class Custom_Image_Header {
 <h2><?php _e('Your Header Image'); ?></h2>
 <p><?php _e('This is your header image. You can change the text color or upload and crop a new image.'); ?></p>
-<div id="headimg" style="background-image: url(<?php clean_url(header_image()) ?>);">
+<div id="headimg" style="background-image: url(<?php esc_url(header_image()) ?>);">
 <h1><a onclick="return false;" href="<?php bloginfo('url'); ?>" title="<?php bloginfo('name'); ?>" id="name"><?php bloginfo('name'); ?></a></h1>
 <div id="desc"><?php bloginfo('description');?></div>
 </div>
@ -354,7 +354,7 @@ class Custom_Image_Header {
 			// Add the meta-data
 			wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $file ) );
-			set_theme_mod('header_image', clean_url($url));
+			set_theme_mod('header_image', esc_url($url));
 			do_action('wp_create_file_in_uploads', $file, $id); // For replication
 			return $this->finished();
 		} elseif ( $width > HEADER_IMAGE_WIDTH ) {
--- a/wp-admin/edit-form-advanced.php
+++ b/wp-admin/edit-form-advanced.php
@ -87,10 +87,10 @@ function post_submit_meta_box($post) {
 <div id="preview-action">
 <?php
 if ( 'publish' == $post->post_status ) {
-	$preview_link = clean_url(get_permalink($post->ID));
+	$preview_link = esc_url(get_permalink($post->ID));
 	$preview_button = __('Preview Changes');
 } else {
-	$preview_link = clean_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID))));
+	$preview_link = esc_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID))));
 	$preview_button = __('Preview');
 }
 ?>
@ -572,7 +572,7 @@ else
 <input type="hidden" id="post_author" name="post_author" value="<?php echo esc_attr( $post->post_author ); ?>" />
 <input type="hidden" id="post_type" name="post_type" value="<?php echo esc_attr($post->post_type) ?>" />
 <input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo esc_attr($post->post_status) ?>" />
-<input name="referredby" type="hidden" id="referredby" value="<?php echo clean_url(stripslashes(wp_get_referer())); ?>" />
+<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
 <?php
 if ( 'draft' != $post->post_status )
 	wp_original_referer_field(true, 'previous');
--- a/wp-admin/edit-form-comment.php
+++ b/wp-admin/edit-form-comment.php
@ -130,7 +130,7 @@ $date = date_i18n( $datef, strtotime( $comment->comment_date ) );
 <input type="hidden" name="c" value="<?php echo esc_attr($comment->comment_ID) ?>" />
 <input type="hidden" name="p" value="<?php echo esc_attr($comment->comment_post_ID) ?>" />
-<input name="referredby" type="hidden" id="referredby" value="<?php echo clean_url(stripslashes(wp_get_referer())); ?>" />
+<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
 <?php wp_original_referer_field(true, 'previous'); ?>
 <input type="hidden" name="noredir" value="1" />
--- a/wp-admin/edit-page-form.php
+++ b/wp-admin/edit-page-form.php
@ -81,10 +81,10 @@ function page_submit_meta_box($post) {
 <div id="preview-action">
 <?php
 if ( 'publish' == $post->post_status ) {
-	$preview_link = clean_url(get_permalink($post->ID));
+	$preview_link = esc_url(get_permalink($post->ID));
 	$preview_button = __('Preview Changes');
 } else {
-	$preview_link = clean_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID))));
+	$preview_link = esc_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID))));
 	$preview_button = __('Preview');
 }
 ?>
@ -420,7 +420,7 @@ if (isset($mode) && 'bookmarklet' == $mode)
 <?php echo $form_extra ?>
 <input type="hidden" id="post_type" name="post_type" value="<?php echo esc_attr($post->post_type) ?>" />
 <input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo esc_attr($post->post_status) ?>" />
-<input name="referredby" type="hidden" id="referredby" value="<?php echo clean_url(stripslashes(wp_get_referer())); ?>" />
+<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
 <?php if ( 'draft' != $post->post_status ) wp_original_referer_field(true, 'previous'); ?>
 <div id="poststuff" class="metabox-holder<?php echo 2 == $screen_layout_columns ? ' has-right-sidebar' : ''; ?>">
--- a/wp-admin/edit.php
+++ b/wp-admin/edit.php
@ -251,8 +251,8 @@ do_action('restrict_manage_posts');
 <?php } ?>
 <div class="view-switch">
-	<a href="<?php echo clean_url(add_query_arg('mode', 'list', $_SERVER['REQUEST_URI'])) ?>"><img <?php if ( 'list' == $mode ) echo 'class="current"'; ?> id="view-switch-list" src="../wp-includes/images/blank.gif" width="20" height="20" title="<?php _e('List View') ?>" alt="<?php _e('List View') ?>" /></a>
+	<a href="<?php echo esc_url(add_query_arg('mode', 'list', $_SERVER['REQUEST_URI'])) ?>"><img <?php if ( 'list' == $mode ) echo 'class="current"'; ?> id="view-switch-list" src="../wp-includes/images/blank.gif" width="20" height="20" title="<?php _e('List View') ?>" alt="<?php _e('List View') ?>" /></a>
-	<a href="<?php echo clean_url(add_query_arg('mode', 'excerpt', $_SERVER['REQUEST_URI'])) ?>"><img <?php if ( 'excerpt' == $mode ) echo 'class="current"'; ?> id="view-switch-excerpt" src="../wp-includes/images/blank.gif" width="20" height="20" title="<?php _e('Excerpt View') ?>" alt="<?php _e('Excerpt View') ?>" /></a>
+	<a href="<?php echo esc_url(add_query_arg('mode', 'excerpt', $_SERVER['REQUEST_URI'])) ?>"><img <?php if ( 'excerpt' == $mode ) echo 'class="current"'; ?> id="view-switch-excerpt" src="../wp-includes/images/blank.gif" width="20" height="20" title="<?php _e('Excerpt View') ?>" alt="<?php _e('Excerpt View') ?>" /></a>
 </div>
 <div class="clear"></div>
--- a/wp-admin/import/livejournal.php
+++ b/wp-admin/import/livejournal.php
@ -186,7 +186,7 @@ class LJ_API_Import {
 			<p class="submit">
 				<input type="submit" class="button-primary" value="<?php esc_attr_e( 'Continue previous import' ) ?>" />
 			</p>
-			<p class="submitbox"><a href="<?php echo clean_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . esc_attr( $_SERVER['REQUEST_URI'] )) ?>" class="deletion submitdelete"><?php _e( 'Cancel &amp; start a new import' ) ?></a></p>
+			<p class="submitbox"><a href="<?php echo esc_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . esc_attr( $_SERVER['REQUEST_URI'] )) ?>" class="deletion submitdelete"><?php _e( 'Cancel &amp; start a new import' ) ?></a></p>
 			<p>
 		<?php else : ?>
 			<input type="hidden" name="step" value="1" />
@ -724,7 +724,7 @@ class LJ_API_Import {
 		if ( empty( $this->username ) || empty( $this->password ) ) {
 			?>
 			<p><?php _e( 'Please enter your LiveJournal username <em>and</em> password so we can download your posts and comments.' ) ?></p>
-			<p><a href="<?php echo clean_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . esc_attr( str_replace( '&step=1', '', $_SERVER['REQUEST_URI'] ) ) ) ?>"><?php _e( 'Start again' ) ?></a></p>
+			<p><a href="<?php echo esc_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . esc_attr( str_replace( '&step=1', '', $_SERVER['REQUEST_URI'] ) ) ) ?>"><?php _e( 'Start again' ) ?></a></p>
 			<?php
 			return false;
 		}
@ -736,7 +736,7 @@ class LJ_API_Import {
 				delete_option( 'ljapi_protected_password' );
 				?>
 				<p><?php _e( 'Logging in to LiveJournal failed. Check your username and password and try again.' ) ?></p>
-				<p><a href="<?php echo clean_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . esc_attr( str_replace( '&step=1', '', $_SERVER['REQUEST_URI'] ) ) ) ?>"><?php _e( 'Start again' ) ?></a></p>
+				<p><a href="<?php echo esc_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . esc_attr( str_replace( '&step=1', '', $_SERVER['REQUEST_URI'] ) ) ) ?>"><?php _e( 'Start again' ) ?></a></p>
 				<?php
 				return false;
 			} else {
--- a/wp-admin/includes/bookmark.php
+++ b/wp-admin/includes/bookmark.php
@ -30,10 +30,10 @@ function edit_link( $link_id = '' ) {
 		wp_die( __( 'Cheatin&#8217; uh?' ));
 	$_POST['link_url'] = esc_html( $_POST['link_url'] );
-	$_POST['link_url'] = clean_url($_POST['link_url']);
+	$_POST['link_url'] = esc_url($_POST['link_url']);
 	$_POST['link_name'] = esc_html( $_POST['link_name'] );
 	$_POST['link_image'] = esc_html( $_POST['link_image'] );
-	$_POST['link_rss'] = clean_url($_POST['link_rss']);
+	$_POST['link_rss'] = esc_url($_POST['link_rss']);
 	if ( !isset($_POST['link_visible']) || 'N' != $_POST['link_visible'] )
 		$_POST['link_visible'] = 'Y';
@ -54,7 +54,7 @@ function edit_link( $link_id = '' ) {
 */
 function get_default_link_to_edit() {
 	if ( isset( $_GET['linkurl'] ) )
-		$link->link_url = clean_url( $_GET['linkurl']);
+		$link->link_url = esc_url( $_GET['linkurl']);
 	else
 		$link->link_url = '';
--- a/wp-admin/includes/class-wp-upgrader.php
+++ b/wp-admin/includes/class-wp-upgrader.php
@ -932,7 +932,7 @@ class Theme_Installer_Skin extends WP_Upgrader_Skin {
 		$stylesheet = $this->upgrader->result['destination_name'];
 		$template = !empty($theme_info['Template']) ? $theme_info['Template'] : $stylesheet;
-		$preview_link = htmlspecialchars( add_query_arg( array('preview' => 1, 'template' => $template, 'stylesheet' => $stylesheet, 'TB_iframe' => 'true' ), trailingslashit(clean_url(get_option('home'))) ) );
+		$preview_link = htmlspecialchars( add_query_arg( array('preview' => 1, 'template' => $template, 'stylesheet' => $stylesheet, 'TB_iframe' => 'true' ), trailingslashit(esc_url(get_option('home'))) ) );
 		$activate_link = wp_nonce_url("themes.php?action=activate&amp;template=" . urlencode($template) . "&amp;stylesheet=" . urlencode($stylesheet), 'switch-theme_' . $template);
 		$install_actions = array(
@ -991,7 +991,7 @@ class Theme_Upgrader_Skin extends WP_Upgrader_Skin {
 		$stylesheet = $this->upgrader->result['destination_name'];
 		$template = !empty($theme_info['Template']) ? $theme_info['Template'] : $stylesheet;
-		$preview_link = htmlspecialchars( add_query_arg( array('preview' => 1, 'template' => $template, 'stylesheet' => $stylesheet, 'TB_iframe' => 'true' ), trailingslashit(clean_url(get_option('home'))) ) );
+		$preview_link = htmlspecialchars( add_query_arg( array('preview' => 1, 'template' => $template, 'stylesheet' => $stylesheet, 'TB_iframe' => 'true' ), trailingslashit(esc_url(get_option('home'))) ) );
 		$activate_link = wp_nonce_url("themes.php?action=activate&amp;template=" . urlencode($template) . "&amp;stylesheet=" . urlencode($stylesheet), 'switch-theme_' . $template);
 		$update_actions =  array(
--- a/wp-admin/includes/comment.php
+++ b/wp-admin/includes/comment.php
@ -89,7 +89,7 @@ function get_comment_to_edit( $id ) {
 	$comment->comment_author = format_to_edit( $comment->comment_author );
 	$comment->comment_author_email = format_to_edit( $comment->comment_author_email );
-	$comment->comment_author_url = clean_url($comment->comment_author_url);
+	$comment->comment_author_url = esc_url($comment->comment_author_url);
 	$comment->comment_author_url = format_to_edit( $comment->comment_author_url );
 	return $comment;
--- a/wp-admin/includes/dashboard.php
+++ b/wp-admin/includes/dashboard.php
@ -115,12 +115,12 @@ function wp_add_dashboard_widget( $widget_id, $widget_name, $callback, $control_
 		$wp_dashboard_control_callbacks[$widget_id] = $control_callback;
 		if ( isset( $_GET['edit'] ) && $widget_id == $_GET['edit'] ) {
 			list($url) = explode( '#', add_query_arg( 'edit', false ), 2 );
-			$widget_name .= ' <span class="postbox-title-action"><a href="' . clean_url( $url ) . '">' . __( 'Cancel' ) . '</a></span>';
+			$widget_name .= ' <span class="postbox-title-action"><a href="' . esc_url( $url ) . '">' . __( 'Cancel' ) . '</a></span>';
 			add_meta_box( $widget_id, $widget_name, '_wp_dashboard_control_callback', 'dashboard', 'normal', 'core' );
 			return;
 		}
 		list($url) = explode( '#', add_query_arg( 'edit', $widget_id ), 2 );
-		$widget_name .= ' <span class="postbox-title-action"><a href="' . clean_url( "$url#$widget_id" ) . '" class="edit-box open-box">' . __( 'Configure' ) . '</a></span>';
+		$widget_name .= ' <span class="postbox-title-action"><a href="' . esc_url( "$url#$widget_id" ) . '" class="edit-box open-box">' . __( 'Configure' ) . '</a></span>';
 	}
 	$side_widgets = array('dashboard_quick_press', 'dashboard_recent_drafts', 'dashboard_primary', 'dashboard_secondary');
 	$location = 'normal';
@ -357,14 +357,14 @@ function wp_dashboard_quick_press() {
 	$drafts = false;
 	if ( 'post' === strtolower( $_SERVER['REQUEST_METHOD'] ) && isset( $_POST['action'] ) && 0 === strpos( $_POST['action'], 'post-quickpress' ) && (int) $_POST['post_ID'] ) {
 		$view = get_permalink( $_POST['post_ID'] );
-		$edit = clean_url( get_edit_post_link( $_POST['post_ID'] ) );
+		$edit = esc_url( get_edit_post_link( $_POST['post_ID'] ) );
 		if ( 'post-quickpress-publish' == $_POST['action'] ) {
 			if ( current_user_can('publish_posts') )
-				printf( '<div class="message"><p>' . __( 'Post Published. <a href="%s">View post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', clean_url( $view ), $edit );
+				printf( '<div class="message"><p>' . __( 'Post Published. <a href="%s">View post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', esc_url( $view ), $edit );
 			else
-				printf( '<div class="message"><p>' . __( 'Post submitted. <a href="%s">Preview post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', clean_url( add_query_arg( 'preview', 1, $view ) ), $edit );
+				printf( '<div class="message"><p>' . __( 'Post submitted. <a href="%s">Preview post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', esc_url( add_query_arg( 'preview', 1, $view ) ), $edit );
 		} else {
-			printf( '<div class="message"><p>' . __( 'Draft Saved. <a href="%s">Preview post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', clean_url( add_query_arg( 'preview', 1, $view ) ), $edit );
+			printf( '<div class="message"><p>' . __( 'Draft Saved. <a href="%s">Preview post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', esc_url( add_query_arg( 'preview', 1, $view ) ), $edit );
 			$drafts_query = new WP_Query( array(
 				'post_type' => 'post',
 				'post_status' => 'draft',
@ -384,7 +384,7 @@ function wp_dashboard_quick_press() {
 	$post = get_default_post_to_edit();
 ?>
-	<form name="post" action="<?php echo clean_url( admin_url( 'post.php' ) ); ?>" method="post" id="quick-press">
+	<form name="post" action="<?php echo esc_url( admin_url( 'post.php' ) ); ?>" method="post" id="quick-press">
 		<h4 id="quick-post-title"><label for="title"><?php _e('Title') ?></label></h4>
 		<div class="input-text-wrap">
 			<input type="text" name="post_title" id="title" tabindex="1" autocomplete="off" value="<?php echo esc_attr( $post->post_title ); ?>" />
@ -525,12 +525,12 @@ function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) {
 	$comment_post_url = get_edit_post_link( $comment->comment_post_ID );
 	$comment_post_title = strip_tags(get_the_title( $comment->comment_post_ID ));
 	$comment_post_link = "<a href='$comment_post_url'>$comment_post_title</a>";
-	$comment_link = '<a class="comment-link" href="' . clean_url(get_comment_link()) . '">#</a>';
+	$comment_link = '<a class="comment-link" href="' . esc_url(get_comment_link()) . '">#</a>';
-	$delete_url = clean_url( wp_nonce_url( "comment.php?action=deletecomment&p=$comment->comment_post_ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
+	$delete_url = esc_url( wp_nonce_url( "comment.php?action=deletecomment&p=$comment->comment_post_ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
-	$approve_url = clean_url( wp_nonce_url( "comment.php?action=approvecomment&p=$comment->comment_post_ID&c=$comment->comment_ID", "approve-comment_$comment->comment_ID" ) );
+	$approve_url = esc_url( wp_nonce_url( "comment.php?action=approvecomment&p=$comment->comment_post_ID&c=$comment->comment_ID", "approve-comment_$comment->comment_ID" ) );
-	$unapprove_url = clean_url( wp_nonce_url( "comment.php?action=unapprovecomment&p=$comment->comment_post_ID&c=$comment->comment_ID", "unapprove-comment_$comment->comment_ID" ) );
+	$unapprove_url = esc_url( wp_nonce_url( "comment.php?action=unapprovecomment&p=$comment->comment_post_ID&c=$comment->comment_ID", "unapprove-comment_$comment->comment_ID" ) );
-	$spam_url = clean_url( wp_nonce_url( "comment.php?action=deletecomment&dt=spam&p=$comment->comment_post_ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
+	$spam_url = esc_url( wp_nonce_url( "comment.php?action=deletecomment&dt=spam&p=$comment->comment_post_ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
 	$actions = array();
@ -641,10 +641,10 @@ function wp_dashboard_incoming_links_output() {
 		$link = '';
 		$content = '';
 		$date = '';
-		$link = clean_url( strip_tags( $item->get_link() ) );
+		$link = esc_url( strip_tags( $item->get_link() ) );
 		$author = $item->get_author();
-		$site_link = clean_url( strip_tags( $author->get_link() ) );
+		$site_link = esc_url( strip_tags( $author->get_link() ) );
 		if ( !$publisher = esc_html( strip_tags( $author->get_name() ) ) )
 			$publisher = __( 'Somebody' );
@ -780,7 +780,7 @@ function wp_dashboard_plugins_output() {
 			list($link, $frag) = explode( '#', $item->get_link() );
-			$link = clean_url($link);
+			$link = esc_url($link);
 			if ( preg_match( '|/([^/]+?)/?$|', $link, $matches ) )
 				$slug = $matches[1];
 			else {
--- a/wp-admin/includes/media.php
+++ b/wp-admin/includes/media.php
@ -77,7 +77,7 @@ function the_media_upload_tabs() {
 			if ( $current == $callback )
 				$class = " class='current'";
 			$href = add_query_arg(array('tab'=>$callback, 's'=>false, 'paged'=>false, 'post_mime_type'=>false, 'm'=>false));
-			$link = "<a href='" . clean_url($href) . "'$class>$text</a>";
+			$link = "<a href='" . esc_url($href) . "'$class>$text</a>";
 			echo "\t<li id='" . esc_attr("tab-$callback") . "'>$link</li>\n";
 		}
 		echo "</ul>\n";
@ -107,7 +107,7 @@ function get_image_send_to_editor($id, $alt, $title, $align, $url='', $rel = fal
 	$rel = $rel ? ' rel="attachment wp-att-' . esc_attr($id).'"' : '';
 	if ( $url )
-		$html = '<a href="' . clean_url($url) . "\"$rel>$html</a>";
+		$html = '<a href="' . esc_url($url) . "\"$rel>$html</a>";
 	$html = apply_filters( 'image_send_to_editor', $html, $id, $alt, $title, $align, $url, $size );
@ -1745,7 +1745,7 @@ if ( empty($_GET['post_mime_type']) || $_GET['post_mime_type'] == 'all' )
 	$class = ' class="current"';
 else
 	$class = '';
-$type_links[] = "<li><a href='" . clean_url(add_query_arg(array('post_mime_type'=>'all', 'paged'=>false, 'm'=>false))) . "'$class>".__('All Types')."</a>";
+$type_links[] = "<li><a href='" . esc_url(add_query_arg(array('post_mime_type'=>'all', 'paged'=>false, 'm'=>false))) . "'$class>".__('All Types')."</a>";
 foreach ( $post_mime_types as $mime_type => $label ) {
 	$class = '';
@ -1755,7 +1755,7 @@ foreach ( $post_mime_types as $mime_type => $label ) {
 	if ( isset($_GET['post_mime_type']) && wp_match_mime_types($mime_type, $_GET['post_mime_type']) )
 		$class = ' class="current"';
-	$type_links[] = "<li><a href='" . clean_url(add_query_arg(array('post_mime_type'=>$mime_type, 'paged'=>false))) . "'$class>" . sprintf(_n($label[2][0], $label[2][1], $num_posts[$mime_type]), "<span id='$mime_type-counter'>" . number_format_i18n( $num_posts[$mime_type] ) . '</span>') . '</a>';
+	$type_links[] = "<li><a href='" . esc_url(add_query_arg(array('post_mime_type'=>$mime_type, 'paged'=>false))) . "'$class>" . sprintf(_n($label[2][0], $label[2][1], $num_posts[$mime_type]), "<span id='$mime_type-counter'>" . number_format_i18n( $num_posts[$mime_type] ) . '</span>') . '</a>';
 }
 echo implode(' | </li>', $type_links) . '</li>';
 unset($type_links);
@ -2059,7 +2059,7 @@ add_filter('flash_uploader', 'media_upload_use_flash');
 */
 function media_upload_flash_bypass() {
 	echo '<p class="upload-flash-bypass">';
-	printf( __('You are using the Flash uploader.  Problems?  Try the <a href="%s">Browser uploader</a> instead.'), clean_url(add_query_arg('flash', 0)) );
+	printf( __('You are using the Flash uploader.  Problems?  Try the <a href="%s">Browser uploader</a> instead.'), esc_url(add_query_arg('flash', 0)) );
 	echo '</p>';
 }
@ -2074,7 +2074,7 @@ function media_upload_html_bypass($flash = true) {
 	if ( $flash ) {
 		// the user manually selected the browser uploader, so let them switch back to Flash
 		echo ' ';
-		printf( __('Try the <a href="%s">Flash uploader</a> instead.'), clean_url(add_query_arg('flash', 1)) );
+		printf( __('Try the <a href="%s">Flash uploader</a> instead.'), esc_url(add_query_arg('flash', 1)) );
 	}
 	echo "</p>\n";
 }
--- a/wp-admin/includes/plugin-install.php
+++ b/wp-admin/includes/plugin-install.php
@ -138,7 +138,7 @@ function install_dashboard() {
 	$tags = array();
 	foreach ( (array)$api_tags as $tag )
 		$tags[ $tag['name'] ] = (object) array(
-								'link' => clean_url( admin_url('plugin-install.php?tab=search&type=tag&s=' . urlencode($tag['name'])) ),
+								'link' => esc_url( admin_url('plugin-install.php?tab=search&type=tag&s=' . urlencode($tag['name'])) ),
 								'name' => $tag['name'],
 								'id' => sanitize_title_with_dashes($tag['name']),
 								'count' => $tag['count'] );
@ -273,7 +273,7 @@ function display_plugins_table($plugins, $page = 1, $totalpages = 1){
 		<?php do_action('install_plugins_table_header'); ?>
 		</div>
 		<?php
-			$url = clean_url($_SERVER['REQUEST_URI']);
+			$url = esc_url($_SERVER['REQUEST_URI']);
 			if ( ! empty($term) )
 				$url = add_query_arg('s', $term, $url);
 			if ( ! empty($type) )
@ -427,7 +427,7 @@ function install_plugin_information() {
 		$class = ( $section_name == $section ) ? ' class="current"' : '';
 		$href = add_query_arg( array('tab' => $tab, 'section' => $section_name) );
-		$href = clean_url($href);
+		$href = esc_url($href);
 		$san_title = esc_attr(sanitize_title_with_dashes($title));
 		echo "\t<li><a name='$san_title' target='' href='$href'$class>$title</a></li>\n";
 	}
--- a/wp-admin/includes/post.php
+++ b/wp-admin/includes/post.php
@ -333,7 +333,7 @@ function get_default_post_to_edit() {
 	else if ( !empty( $post_title ) ) {
 		$text       = esc_html( stripslashes( urldecode( $_REQUEST['text'] ) ) );
 		$text       = funky_javascript_fix( $text);
-		$popupurl   = clean_url($_REQUEST['popupurl']);
+		$popupurl   = esc_url($_REQUEST['popupurl']);
 		$post_content = '<a href="'.$popupurl.'">'.$post_title.'</a>'."\n$text";
 	}
--- a/wp-admin/includes/template.php
+++ b/wp-admin/includes/template.php
@ -1897,7 +1897,7 @@ function user_row( $user_object, $style = '', $role = '' ) {
 		if ($current_user->ID == $user_object->ID) {
 			$edit_link = 'profile.php';
 		} else {
-			$edit_link = clean_url( add_query_arg( 'wp_http_referer', urlencode( clean_url( stripslashes( $_SERVER['REQUEST_URI'] ) ) ), "user-edit.php?user_id=$user_object->ID" ) );
+			$edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( esc_url( stripslashes( $_SERVER['REQUEST_URI'] ) ) ), "user-edit.php?user_id=$user_object->ID" ) );
 		}
 		$edit = "<strong><a href=\"$edit_link\">$user_object->user_login</a></strong><br />";
@ -2092,10 +2092,10 @@ function _wp_comment_row( $comment_id, $mode, $comment_status, $checkbox = true,
 	else
 		$ptime = mysql2date(__('Y/m/d \a\t g:i A'), $comment->comment_date );
-	$delete_url = clean_url( wp_nonce_url( "comment.php?action=deletecomment&p=$post->ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
+	$delete_url = esc_url( wp_nonce_url( "comment.php?action=deletecomment&p=$post->ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
-	$approve_url = clean_url( wp_nonce_url( "comment.php?action=approvecomment&p=$post->ID&c=$comment->comment_ID", "approve-comment_$comment->comment_ID" ) );
+	$approve_url = esc_url( wp_nonce_url( "comment.php?action=approvecomment&p=$post->ID&c=$comment->comment_ID", "approve-comment_$comment->comment_ID" ) );
-	$unapprove_url = clean_url( wp_nonce_url( "comment.php?action=unapprovecomment&p=$post->ID&c=$comment->comment_ID", "unapprove-comment_$comment->comment_ID" ) );
+	$unapprove_url = esc_url( wp_nonce_url( "comment.php?action=unapprovecomment&p=$post->ID&c=$comment->comment_ID", "unapprove-comment_$comment->comment_ID" ) );
-	$spam_url = clean_url( wp_nonce_url( "comment.php?action=deletecomment&dt=spam&p=$post->ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
+	$spam_url = esc_url( wp_nonce_url( "comment.php?action=deletecomment&dt=spam&p=$post->ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
 	echo "<tr id='comment-$comment->comment_ID' class='$the_comment_status'>";
 	$columns = get_column_headers('edit-comments');
--- a/wp-admin/includes/theme-install.php
+++ b/wp-admin/includes/theme-install.php
@ -309,9 +309,9 @@ function display_theme($theme, $actions = null, $show_details = true) {
 	$actions = implode ( ' | ', $actions );
 	?>
 <a class='thickbox thickbox-preview screenshot'
-	href='<? echo clean_url($preview_link); ?>'
+	href='<? echo esc_url($preview_link); ?>'
 	title='<?php echo esc_attr(sprintf(__('Preview &#8220;%s&#8221;'), $name)); ?>'>
-<img src='<?php echo clean_url($theme->screenshot_url); ?>' width='150' />
+<img src='<?php echo esc_url($theme->screenshot_url); ?>' width='150' />
 </a>
 <h3><?php echo $name ?></h3>
 <span class='action-links'><?php echo $actions ?></span>
@ -374,7 +374,7 @@ function display_themes($themes, $page = 1, $totalpages = 1) {
 <div class="tablenav">
 <div class="alignleft actions"><?php do_action('install_themes_table_header'); ?></div>
 	<?php
-	$url = clean_url($_SERVER['REQUEST_URI']);
+	$url = esc_url($_SERVER['REQUEST_URI']);
 	if ( ! empty($term) )
 		$url = add_query_arg('s', $term, $url);
 	if ( ! empty($type) )
@ -502,7 +502,7 @@ function install_theme_information() {
 ?>
 <div class='available-theme'>
-<img src='<?php echo clean_url($api->screenshot_url) ?>' width='300' class="theme-preview-img" />
+<img src='<?php echo esc_url($api->screenshot_url) ?>' width='300' class="theme-preview-img" />
 <h3><?php echo $api->name; ?></h3>
 <p><?php printf(__('by %s'), $api->author); ?></p>
 <p><?php printf(__('Version: %s'), $api->version); ?></p>
--- a/wp-admin/includes/update.php
+++ b/wp-admin/includes/update.php
@ -159,11 +159,11 @@ function wp_plugin_update_row( $file, $plugin_data ) {
 	echo '<tr><td colspan="5" class="plugin-update">';
 	if ( ! current_user_can('update_plugins') )
-		printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s Details</a>.'), $plugin_name, clean_url($details_url), esc_attr($plugin_name), $r->new_version );
+		printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s Details</a>.'), $plugin_name, esc_url($details_url), esc_attr($plugin_name), $r->new_version );
 	else if ( empty($r->package) )
-		printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s Details</a> <em>automatic upgrade unavailable for this plugin</em>.'), $plugin_name, clean_url($details_url), esc_attr($plugin_name), $r->new_version );
+		printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s Details</a> <em>automatic upgrade unavailable for this plugin</em>.'), $plugin_name, esc_url($details_url), esc_attr($plugin_name), $r->new_version );
 	else
-		printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s Details</a> or <a href="%5$s">upgrade automatically</a>.'), $plugin_name, clean_url($details_url), esc_attr($plugin_name), $r->new_version, wp_nonce_url('update.php?action=upgrade-plugin&plugin=' . $file, 'upgrade-plugin_' . $file) );
+		printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s Details</a> or <a href="%5$s">upgrade automatically</a>.'), $plugin_name, esc_url($details_url), esc_attr($plugin_name), $r->new_version, wp_nonce_url('update.php?action=upgrade-plugin&plugin=' . $file, 'upgrade-plugin_' . $file) );
 	do_action( "in_plugin_update_message-$file", $plugin_data, $r );
--- a/wp-admin/includes/user.php
+++ b/wp-admin/includes/user.php
@ -91,7 +91,7 @@ function edit_user( $user_id = 0 ) {
 		if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) {
 			$user->user_url = '';
 		} else {
-			$user->user_url = clean_url( trim( $_POST['url'] ));
+			$user->user_url = esc_url( trim( $_POST['url'] ));
 			$user->user_url = preg_match('/^(https?|ftps?|mailto|news|irc|gopher|nntp|feed|telnet):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url;
 		}
 	}
@ -372,7 +372,7 @@ function get_user_to_edit( $user_id ) {
 	$user = new WP_User( $user_id );
 	$user->user_login   = esc_attr($user->user_login);
 	$user->user_email   = esc_attr($user->user_email);
-	$user->user_url     = clean_url($user->user_url);
+	$user->user_url     = esc_url($user->user_url);
 	$user->first_name   = esc_attr($user->first_name);
 	$user->last_name    = esc_attr($user->last_name);
 	$user->display_name = esc_attr($user->display_name);
--- a/wp-admin/includes/widgets.php
+++ b/wp-admin/includes/widgets.php
@ -169,7 +169,7 @@ function wp_widget_control( $sidebar_args ) {
 	<div class="widget-top">
 	<div class="widget-title-action">
 		<a class="widget-action hide-if-no-js" href="#available-widgets"></a>
-		<a class="widget-control-edit hide-if-js" href="<?php echo clean_url( add_query_arg( $query_arg ) ); ?>"><span class="edit"><?php _e('Edit'); ?></span><span class="add"><?php _e('Add'); ?></span></a>
+		<a class="widget-control-edit hide-if-js" href="<?php echo esc_url( add_query_arg( $query_arg ) ); ?>"><span class="edit"><?php _e('Edit'); ?></span><span class="add"><?php _e('Add'); ?></span></a>
 	</div>
 	<div class="widget-title"><h4><?php echo $widget_title ?><span class="in-widget-title"></span></h4></div>
 	</div>
--- a/wp-admin/js/revisions-js.php
+++ b/wp-admin/js/revisions-js.php
@ -12,7 +12,7 @@ function dvortr( $str ) {
 	);
 }
-$j = clean_url( site_url( '/wp-includes/js/jquery/jquery.js' ) );
+$j = esc_url( site_url( '/wp-includes/js/jquery/jquery.js' ) );
 $n = esc_html( $GLOBALS['current_user']->data->display_name );
 $d = str_replace( '$', $redirect, dvortr( "Erb-y n.y ydco dall.b aiacbv Wa ce]-irxajt- dp.u]-$-VIr XajtWzaVv" ) );
--- a/wp-admin/media.php
+++ b/wp-admin/media.php
@ -84,7 +84,7 @@ case 'edit' :
 <?php screen_icon(); ?>
 <h2><?php _e( 'Edit Media' ); ?></h2>
-<form method="post" action="<?php echo clean_url( remove_query_arg( 'message' ) ); ?>" class="media-upload-form" id="media-single-form">
+<form method="post" action="<?php echo esc_url( remove_query_arg( 'message' ) ); ?>" class="media-upload-form" id="media-single-form">
 <div class="media-single">
 <div id='media-item-<?php echo $att_id; ?>' class='media-item'>
 <?php echo get_media_item( $att_id, array( 'toggle' => false, 'send' => false, 'delete' => false, 'show_title' => false, 'errors' => $errors ) ); ?>
--- a/wp-admin/plugins.php
+++ b/wp-admin/plugins.php
@ -134,7 +134,7 @@ if ( !empty($action) ) {
 						?>
 					</ul>
 				<p><?php _e('Are you sure you wish to delete these files?') ?></p>
-				<form method="post" action="<?php echo clean_url($_SERVER['REQUEST_URI']); ?>" style="display:inline;">
+				<form method="post" action="<?php echo esc_url($_SERVER['REQUEST_URI']); ?>" style="display:inline;">
 					<input type="hidden" name="verify-delete" value="1" />
 					<input type="hidden" name="action" value="delete-selected" />
 					<?php
@ -144,7 +144,7 @@ if ( !empty($action) ) {
 					<?php wp_nonce_field('bulk-manage-plugins') ?>
 					<input type="submit" name="submit" value="<?php esc_attr_e('Yes, Delete these files') ?>" class="button" />
 				</form>
-				<form method="post" action="<?php echo clean_url(wp_get_referer()); ?>" style="display:inline;">
+				<form method="post" action="<?php echo esc_url(wp_get_referer()); ?>" style="display:inline;">
 					<input type="submit" name="submit" value="<?php esc_attr_e('No, Return me to the plugin list') ?>" class="button" />
 				</form>
--- a/wp-admin/press-this.php
+++ b/wp-admin/press-this.php
@ -97,7 +97,7 @@ if ( ! empty($selection) ) {
 	$selection = preg_replace('/(\r?\n|\r)/', '</p><p>', $selection);
 	$selection = '<p>'.str_replace('<p></p>', '', $selection).'</p>';
 }
-$url = isset($_GET['u']) ? clean_url($_GET['u']) : '';
+$url = isset($_GET['u']) ? esc_url($_GET['u']) : '';
 $image = isset($_GET['i']) ? $_GET['i'] : '';
 if ( !empty($_REQUEST['ajax']) ) {
@ -140,7 +140,7 @@ switch ($_REQUEST['ajax']) {
 		</div>
 		<p class="centered"><input type="hidden" name="this_photo" value="<?php echo esc_attr($image); ?>" id="this_photo" />
-			<a href="#" class="select"><img src="<?php echo clean_url($image); ?>" alt="<?php echo esc_attr(__('Click to insert.')); ?>" title="<?php echo esc_attr(__('Click to insert.')); ?>" /></a></p>
+			<a href="#" class="select"><img src="<?php echo esc_url($image); ?>" alt="<?php echo esc_attr(__('Click to insert.')); ?>" title="<?php echo esc_attr(__('Click to insert.')); ?>" /></a></p>
 		<p id="options"><a href="#" class="select button"><?php _e('Insert Image'); ?></a> <a href="#" class="cancel button"><?php _e('Cancel'); ?></a></p>
@ -205,7 +205,7 @@ switch ($_REQUEST['ajax']) {
 						$src = 'http://'.str_replace('//','/', $host['host'].'/'.$src);
 					else
 						$src = 'http://'.str_replace('//','/', $host['host'].'/'.dirname($host['path']).'/'.$src);
-				$sources[] = clean_url($src);
+				$sources[] = esc_url($src);
 			}
 			return "'" . implode("','", $sources) . "'";
 		}
@ -222,7 +222,7 @@ switch ($_REQUEST['ajax']) {
 			var my_src = eval(
 				jQuery.ajax({
 			   		type: "GET",
-			   		url: "<?php echo clean_url($_SERVER['PHP_SELF']); ?>",
+			   		url: "<?php echo esc_url($_SERVER['PHP_SELF']); ?>",
 					cache : false,
 					async : false,
 			   		data: "ajax=photo_images&u=<?php echo urlencode($url); ?>",
@ -233,7 +233,7 @@ switch ($_REQUEST['ajax']) {
 				var my_src = eval(
 				jQuery.ajax({
 			   		type: "GET",
-			   		url: "<?php echo clean_url($_SERVER['PHP_SELF']); ?>",
+			   		url: "<?php echo esc_url($_SERVER['PHP_SELF']); ?>",
 					cache : false,
 					async : false,
 			   		data: "ajax=photo_images&u=<?php echo urlencode($url); ?>",
@ -377,7 +377,7 @@ var ajaxurl = '<?php echo admin_url('admin-ajax.php'); ?>';
 		jQuery('#extra_fields').show();
 		switch(tab_name) {
 			case 'video' :
-				jQuery('#extra_fields').load('<?php echo clean_url($_SERVER['PHP_SELF']); ?>', { ajax: 'video', s: '<?php echo esc_attr($selection); ?>'}, function() {
+				jQuery('#extra_fields').load('<?php echo esc_url($_SERVER['PHP_SELF']); ?>', { ajax: 'video', s: '<?php echo esc_attr($selection); ?>'}, function() {
 					<?php
 					$content = '';
 					if ( preg_match("/youtube\.com\/watch/i", $url) ) {
@ -406,7 +406,7 @@ var ajaxurl = '<?php echo admin_url('admin-ajax.php'); ?>';
 				jQuery.ajax({
 					type: "GET",
 					cache : false,
-					url: "<?php echo clean_url($_SERVER['PHP_SELF']); ?>",
+					url: "<?php echo esc_url($_SERVER['PHP_SELF']); ?>",
 					data: "ajax=photo_js&u=<?php echo urlencode($url)?>",
 					dataType : "script",
 					success : function() {
--- a/wp-admin/themes.php
+++ b/wp-admin/themes.php
@ -194,7 +194,7 @@ foreach ( $cols as $col => $theme_name ) {
 	$stylesheet_dir = $themes[$theme_name]['Stylesheet Dir'];
 	$template_dir = $themes[$theme_name]['Template Dir'];
 	$parent_theme = $themes[$theme_name]['Parent Theme'];
-	$preview_link = clean_url( get_option('home') . '/');
+	$preview_link = esc_url( get_option('home') . '/');
 	$preview_link = htmlspecialchars( add_query_arg( array('preview' => 1, 'template' => $template, 'stylesheet' => $stylesheet, 'TB_iframe' => 'true' ), $preview_link ) );
 	$preview_text = esc_attr( sprintf( __('Preview of &#8220;%s&#8221;'), $title ) );
 	$tags = $themes[$theme_name]['Tags'];
--- a/wp-admin/update-core.php
+++ b/wp-admin/update-core.php
@ -44,7 +44,7 @@ function list_core_update( $update ) {
 	echo '<input id="upgrade" class="button" type="submit" value="' . esc_attr($submit) . '" name="upgrade" />&nbsp;';
 	echo '<input name="version" value="'. esc_attr($update->current) .'" type="hidden"/>';
 	echo '<input name="locale" value="'. esc_attr($update->locale) .'" type="hidden"/>';
-	echo '<a href="' . clean_url($update->package) . '" class="button">' . $download . '</a>&nbsp;';
+	echo '<a href="' . esc_url($update->package) . '" class="button">' . $download . '</a>&nbsp;';
 	if ( 'en_US' != $update->locale )
 		if ( !isset( $update->dismissed ) || !$update->dismissed )
 			echo '<input id="dismiss" class="button" type="submit" value="' . esc_attr__('Hide this update') . '" name="dismiss" />';
--- a/wp-admin/upgrade.php
+++ b/wp-admin/upgrade.php
@ -57,7 +57,7 @@ $step = (int) $step;
 switch ( $step ) :
 	case 0:
 		$goback = stripslashes( wp_get_referer() );
-		$goback = clean_url( $goback, null, 'url' );
+		$goback = esc_url_raw( $goback );
 		$goback = urlencode( $goback );
 ?>
 <h2><?php _e( 'Database Upgrade Required' ); ?></h2>
@ -73,7 +73,7 @@ switch ( $step ) :
 			$backto = __get_option( 'home' ) . '/';
 		else {
 			$backto = stripslashes( urldecode( $_GET['backto'] ) );
-			$backto = clean_url( $backto, null, 'url' );
+			$backto = esc_urlaw( $backto  );
 		}
 ?>
 <h2><?php _e( 'Upgrade Complete' ); ?></h2>
--- a/wp-admin/user-edit.php
+++ b/wp-admin/user-edit.php
@ -120,7 +120,7 @@ include ('admin-header.php');
 <form id="your-profile" action="" method="post">
 <?php wp_nonce_field('update-user_' . $user_id) ?>
 <?php if ( $wp_http_referer ) : ?>
-	<input type="hidden" name="wp_http_referer" value="<?php echo clean_url($wp_http_referer); ?>" />
+	<input type="hidden" name="wp_http_referer" value="<?php echo esc_url($wp_http_referer); ?>" />
 <?php endif; ?>
 <p>
 <input type="hidden" name="from" value="profile" />
--- a/wp-comments-post.php
+++ b/wp-comments-post.php
@ -81,7 +81,7 @@ if ( !$user->ID ) {
 	$comment_cookie_lifetime = apply_filters('comment_cookie_lifetime', 30000000);
 	setcookie('comment_author_' . COOKIEHASH, $comment->comment_author, time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN);
 	setcookie('comment_author_email_' . COOKIEHASH, $comment->comment_author_email, time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN);
-	setcookie('comment_author_url_' . COOKIEHASH, clean_url($comment->comment_author_url), time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN);
+	setcookie('comment_author_url_' . COOKIEHASH, esc_url($comment->comment_author_url), time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN);
 }
 $location = empty($_POST['redirect_to']) ? get_comment_link($comment_id) : $_POST['redirect_to'] . '#comment-' . $comment_id;
--- a/wp-includes/bookmark-template.php
+++ b/wp-includes/bookmark-template.php
@ -70,7 +70,7 @@ function _walk_bookmarks($bookmarks, $args = '' ) {
 		$the_link = '#';
 		if ( !empty($bookmark->link_url) )
-			$the_link = clean_url($bookmark->link_url);
+			$the_link = esc_url($bookmark->link_url);
 		$desc = esc_attr(sanitize_bookmark_field('link_description', $bookmark->link_description, $bookmark->link_id, 'display'));
 		$name = esc_attr(sanitize_bookmark_field('link_name', $bookmark->link_name, $bookmark->link_id, 'display'));
--- a/wp-includes/category-template.php
+++ b/wp-includes/category-template.php
@ -659,7 +659,7 @@ function wp_generate_tag_cloud( $tags, $args = '' ) {
 	foreach ( $tags as $key => $tag ) {
 		$count = $counts[ $key ];
-		$tag_link = '#' != $tag->link ? clean_url( $tag->link ) : '#';
+		$tag_link = '#' != $tag->link ? esc_url( $tag->link ) : '#';
 		$tag_id = isset($tags[ $key ]->id) ? $tags[ $key ]->id : $key;
 		$tag_name = $tags[ $key ]->name;
 		$a[] = "<a href='$tag_link' class='tag-link-$tag_id' title='" . esc_attr( $topic_count_text_callback( $count ) ) . "'$rel style='font-size: " .
--- a/wp-includes/class.wp-scripts.php
+++ b/wp-includes/class.wp-scripts.php
@ -115,7 +115,7 @@ class WP_Scripts extends WP_Dependencies {
 		}
 		$src = add_query_arg('ver', $ver, $src);
-		$src = clean_url(apply_filters( 'script_loader_src', $src, $handle ));
+		$src = esc_url(apply_filters( 'script_loader_src', $src, $handle ));
 		if ( $this->do_concat )
 			$this->print_html .= "<script type='text/javascript' src='$src'></script>\n";
--- a/wp-includes/class.wp-styles.php
+++ b/wp-includes/class.wp-styles.php
@ -102,7 +102,7 @@ class WP_Styles extends WP_Dependencies {
 		$src = add_query_arg('ver', $ver, $src);
 		$src = apply_filters( 'style_loader_src', $src, $handle );
-		return clean_url( $src );
+		return esc_url( $src );
 	}
 	function in_default_dir($src) {
--- a/wp-includes/comment-template.php
+++ b/wp-includes/comment-template.php
@ -995,9 +995,9 @@ function get_comment_reply_link($args = array(), $comment = null, $post = null)
 	$link = '';
 	if ( get_option('comment_registration') && !$user_ID )
-		$link = '<a rel="nofollow" class="comment-reply-login" href="' . clean_url( wp_login_url( get_permalink() ) ) . '">' . $login_text . '</a>';
+		$link = '<a rel="nofollow" class="comment-reply-login" href="' . esc_url( wp_login_url( get_permalink() ) ) . '">' . $login_text . '</a>';
 	else
-		$link = "<a rel='nofollow' class='comment-reply-link' href='" . clean_url( add_query_arg( 'replytocom', $comment->comment_ID ) ) . "#" . $respond_id . "' onclick='return addComment.moveForm(\"$add_below-$comment->comment_ID\", \"$comment->comment_ID\", \"$respond_id\", \"$post->ID\")'>$reply_text</a>";
+		$link = "<a rel='nofollow' class='comment-reply-link' href='" . esc_url( add_query_arg( 'replytocom', $comment->comment_ID ) ) . "#" . $respond_id . "' onclick='return addComment.moveForm(\"$add_below-$comment->comment_ID\", \"$comment->comment_ID\", \"$respond_id\", \"$post->ID\")'>$reply_text</a>";
 	return apply_filters('comment_reply_link', $before . $link . $after, $args, $comment, $post);
 }
--- a/wp-includes/default-filters.php
+++ b/wp-includes/default-filters.php
@ -43,7 +43,7 @@ $filters = array('pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_
 foreach ( $filters as $filter ) {
 	add_filter($filter, 'strip_tags');
 	add_filter($filter, 'trim');
-	add_filter($filter, 'sanitize_url');
+	add_filter($filter, 'esc_url_raw');
 	add_filter($filter, 'wp_filter_kses');
 }
@ -52,7 +52,7 @@ $filters = array('user_url', 'link_url', 'link_image', 'link_rss', 'comment_url'
 foreach ( $filters as $filter ) {
 	add_filter($filter, 'strip_tags');
 	add_filter($filter, 'trim');
-	add_filter($filter, 'clean_url');
+	add_filter($filter, 'esc_url');
 	add_filter($filter, 'wp_filter_kses');
 }
--- a/wp-includes/default-widgets.php
+++ b/wp-includes/default-widgets.php
@ -659,7 +659,7 @@ class WP_Widget_Recent_Comments extends WP_Widget {
 			<?php if ( $title ) echo $before_title . $title . $after_title; ?>
 			<ul id="recentcomments"><?php
 			if ( $comments ) : foreach ( (array) $comments as $comment) :
-			echo  '<li class="recentcomments">' . /* translators: comments widget: 1: comment author, 2: post link */ sprintf(_x('%1$s on %2$s', 'widgets'), get_comment_author_link(), '<a href="' . clean_url( get_comment_link($comment->comment_ID) ) . '">' . get_the_title($comment->comment_post_ID) . '</a>') . '</li>';
+			echo  '<li class="recentcomments">' . /* translators: comments widget: 1: comment author, 2: post link */ sprintf(_x('%1$s on %2$s', 'widgets'), get_comment_author_link(), '<a href="' . esc_url( get_comment_link($comment->comment_ID) ) . '">' . get_the_title($comment->comment_post_ID) . '</a>') . '</li>';
 			endforeach; endif;?></ul>
 		<?php echo $after_widget; ?>
 <?php
@ -730,7 +730,7 @@ class WP_Widget_RSS extends WP_Widget {
 			$desc = esc_attr(strip_tags(@html_entity_decode($rss->get_description(), ENT_QUOTES, get_option('blog_charset'))));
 			if ( empty($title) )
 				$title = htmlentities(strip_tags($rss->get_title()));
-			$link = clean_url(strip_tags($rss->get_permalink()));
+			$link = esc_url(strip_tags($rss->get_permalink()));
 			while ( stristr($link, 'http') != $link )
 				$link = substr($link, 1);
 		}
@ -739,7 +739,7 @@ class WP_Widget_RSS extends WP_Widget {
 			$title = empty($desc) ? __('Unknown Feed') : $desc;
 		$title = apply_filters('widget_title', $title );
-		$url = clean_url(strip_tags($url));
+		$url = esc_url(strip_tags($url));
 		$icon = includes_url('images/rss.png');
 		if ( $title )
 			$title = "<a class='rsswidget' href='$url' title='" . esc_attr(__('Syndicate this content')) ."'><img style='background:orange;color:white;border:none;' width='14' height='14' src='$icon' alt='RSS' /></a> <a class='rsswidget' href='$link' title='$desc'>$title</a>";
@ -813,7 +813,7 @@ function wp_widget_rss_output( $rss, $args = array() ) {
 		$link = $item->get_link();
 		while ( stristr($link, 'http') != $link )
 			$link = substr($link, 1);
-		$link = clean_url(strip_tags($link));
+		$link = esc_url(strip_tags($link));
 		$title = esc_attr(strip_tags($item->get_title()));
 		if ( empty($title) )
 			$title = __('Untitled');
@ -879,7 +879,7 @@ function wp_widget_rss_form( $args, $inputs = null ) {
 	$number = esc_attr( $number );
 	$title  = esc_attr( $title );
-	$url    = clean_url( $url );
+	$url    = esc_url( $url );
 	$items  = (int) $items;
 	if ( $items < 1 || 20 < $items )
 		$items  = 10;
@ -958,7 +958,7 @@ function wp_widget_rss_process( $widget_rss, $check_feed = true ) {
 	$items = (int) $widget_rss['items'];
 	if ( $items < 1 || 20 < $items )
 		$items = 10;
-	$url           = sanitize_url(strip_tags( $widget_rss['url'] ));
+	$url           = esc_url_raw(strip_tags( $widget_rss['url'] ));
 	$title         = trim(strip_tags( $widget_rss['title'] ));
 	$show_summary  = (int) $widget_rss['show_summary'];
 	$show_author   = (int) $widget_rss['show_author'];
@ -971,7 +971,7 @@ function wp_widget_rss_process( $widget_rss, $check_feed = true ) {
 		if ( is_wp_error($rss) ) {
 			$error = $rss->get_error_message();
 		} else {
-			$link = clean_url(strip_tags($rss->get_permalink()));
+			$link = esc_url(strip_tags($rss->get_permalink()));
 			while ( stristr($link, 'http') != $link )
 				$link = substr($link, 1);
 		}
--- a/wp-includes/deprecated.php
+++ b/wp-includes/deprecated.php
@ -1001,7 +1001,7 @@ function get_links($category = -1, $before = '', $after = '<br />', $between = '
 			$output .= get_option('links_recently_updated_prepend');
 		$the_link = '#';
 		if ( !empty($row->link_url) )
-			$the_link = clean_url($row->link_url);
+			$the_link = esc_url($row->link_url);
 		$rel = $row->link_rel;
 		if ( '' != $rel )
 			$rel = ' rel="' . $rel . '"';
--- a/wp-includes/feed.php
+++ b/wp-includes/feed.php
@ -255,7 +255,7 @@ function get_comment_guid($comment_id = null) {
 * @since 1.5.0
 */
 function comment_link() {
-	echo clean_url( get_comment_link() );
+	echo esc_url( get_comment_link() );
 }
 /**
@ -503,7 +503,7 @@ function prep_atom_text_construct($data) {
 function self_link() {
 	$host = @parse_url(get_option('home'));
 	$host = $host['host'];
-	echo clean_url(
+	echo esc_url(
 		'http'
 		. ( (isset($_SERVER['https']) && $_SERVER['https'] == 'on') ? 's' : '' ) . '://'
 		. $host
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@ -1149,7 +1149,7 @@ function antispambot($emailaddy, $mailto=0) {
 */
 function _make_url_clickable_cb($matches) {
 	$url = $matches[2];
-	$url = clean_url($url);
+	$url = esc_url($url);
 	if ( empty($url) )
 		return $matches[0];
 	return $matches[1] . "<a href=\"$url\" rel=\"nofollow\">$url</a>";
@ -1171,7 +1171,7 @@ function _make_web_ftp_clickable_cb($matches) {
 	$ret = '';
 	$dest = $matches[2];
 	$dest = 'http://' . $dest;
-	$dest = clean_url($dest);
+	$dest = esc_url($dest);
 	if ( empty($dest) )
 		return $matches[0];
 	// removed trailing [,;:] from URL
@ -1988,7 +1988,7 @@ function wp_htmledit_pre($output) {
 * Checks and cleans a URL.
 *
 * A number of characters are removed from the URL. If the URL is for displaying
- * (the default behaviour) amperstands are also replaced. The 'clean_url' filter
+ * (the default behaviour) amperstands are also replaced. The 'esc_url' filter
 * is applied to the returned cleaned URL.
 *
 * @since 1.2.0
@ -2032,9 +2032,47 @@ function clean_url( $url, $protocols = null, $context = 'display' ) {
 }
 /**
- * Performs clean_url() for database usage.
+ * Checks and cleans a URL.
 *
- * @see clean_url()
+ * A number of characters are removed from the URL. If the URL is for displaying
 * (the default behaviour) amperstands are also replaced. The 'esc_url' filter
 * is applied to the returned cleaned URL.
 *
 * @since 2.8.0
 * @uses esc_url()
 * @uses wp_kses_bad_protocol() To only permit protocols in the URL set
 *		via $protocols or the common ones set in the function.
 *
 * @param string $url The URL to be cleaned.
 * @param array $protocols Optional. An array of acceptable protocols.
 *		Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet' if not set.
 * @return string The cleaned $url after the 'cleaned_url' filter is applied.
 */
 function esc_url( $url, $protocols = null ) {
 	return clean_url( $url, $protocols, 'display' );
 }
 /**
 * Performs esc_url() for database usage.
 *
 * @see esc_url()
 * @see esc_url()
 *
 * @since 2.8.0
 *
 * @param string $url The URL to be cleaned.
 * @param array $protocols An array of acceptable protocols.
 * @return string The cleaned URL.
 */
 function esc_url_raw( $url, $protocols = null ) {
 	return clean_url( $url, $protocols, 'db' );
 }
 /**
 * Performs esc_url() for database or redirect usage.
 *
 * @see esc_url()
 * @deprecated 2.8.0
 *
 * @since 2.3.1
 *
@ -2280,7 +2318,7 @@ function sanitize_option($option, $value) {
 		case 'siteurl':
 		case 'home':
 			$value = stripslashes($value);
-			$value = clean_url($value);
+			$value = esc_url($value);
 			break;
 		default :
 			$value = apply_filters("sanitize_option_{$option}", $value, $option);
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@ -2336,7 +2336,7 @@ function wp_nonce_ays( $action ) {
 	$title = __( 'WordPress Failure Notice' );
 	$html = esc_html( wp_explain_nonce( $action ) );
 	if ( wp_get_referer() )
-		$html .= "</p><p><a href='" . clean_url( remove_query_arg( 'updated', wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>";
+		$html .= "</p><p><a href='" . esc_url( remove_query_arg( 'updated', wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>";
 	elseif ( 'log-out' == $action )
 		$html .= "</p><p>" . sprintf( __( "Do you really want to <a href='%s'>log out</a>?"), wp_logout_url() );
--- a/wp-includes/general-template.php
+++ b/wp-includes/general-template.php
@ -141,9 +141,9 @@ function get_search_form() {
 */
 function wp_loginout($redirect = '') {
 	if ( ! is_user_logged_in() )
-		$link = '<a href="' . clean_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>';
+		$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>';
 	else
-		$link = '<a href="' . clean_url( wp_logout_url($redirect) ) . '">' . __('Log out') . '</a>';
+		$link = '<a href="' . esc_url( wp_logout_url($redirect) ) . '">' . __('Log out') . '</a>';
 	echo apply_filters('loginout', $link);
 }
@ -689,7 +689,7 @@ function single_month_title($prefix = '', $display = true ) {
 function get_archives_link($url, $text, $format = 'html', $before = '', $after = '') {
 	$text = wptexturize($text);
 	$title_text = esc_attr($text);
-	$url = clean_url($url);
+	$url = esc_url($url);
 	if ('link' == $format)
 		$link_html = "\t<link rel='archives' title='$title_text' href='$url' />\n";
@ -1807,7 +1807,7 @@ function paginate_links( $args = '' ) {
 		if ( $add_args )
 			$link = add_query_arg( $add_args, $link );
 		$link .= $add_fragment;
-		$page_links[] = "<a class='prev page-numbers' href='" . clean_url($link) . "'>$prev_text</a>";
+		$page_links[] = "<a class='prev page-numbers' href='" . esc_url($link) . "'>$prev_text</a>";
 	endif;
 	for ( $n = 1; $n <= $total; $n++ ) :
 		$n_display = number_format_i18n($n);
@ -1821,7 +1821,7 @@ function paginate_links( $args = '' ) {
 				if ( $add_args )
 					$link = add_query_arg( $add_args, $link );
 				$link .= $add_fragment;
-				$page_links[] = "<a class='page-numbers' href='" . clean_url($link) . "'>$n_display</a>";
+				$page_links[] = "<a class='page-numbers' href='" . esc_url($link) . "'>$n_display</a>";
 				$dots = true;
 			elseif ( $dots && !$show_all ) :
 				$page_links[] = "<span class='page-numbers dots'>...</span>";
@ -1835,7 +1835,7 @@ function paginate_links( $args = '' ) {
 		if ( $add_args )
 			$link = add_query_arg( $add_args, $link );
 		$link .= $add_fragment;
-		$page_links[] = "<a class='next page-numbers' href='" . clean_url($link) . "'>$next_text</a>";
+		$page_links[] = "<a class='next page-numbers' href='" . esc_url($link) . "'>$next_text</a>";
 	endif;
 	switch ( $type ) :
 		case 'array' :
@ -1935,9 +1935,9 @@ function wp_admin_css( $file = 'wp-admin', $force_echo = false ) {
 		return;
 	}
-	echo apply_filters( 'wp_admin_css', "<link rel='stylesheet' href='" . clean_url( wp_admin_css_uri( $file ) ) . "' type='text/css' />\n", $file );
+	echo apply_filters( 'wp_admin_css', "<link rel='stylesheet' href='" . esc_url( wp_admin_css_uri( $file ) ) . "' type='text/css' />\n", $file );
 	if ( 'rtl' == get_bloginfo( 'text_direction' ) )
-		echo apply_filters( 'wp_admin_css', "<link rel='stylesheet' href='" . clean_url( wp_admin_css_uri( "$file-rtl" ) ) . "' type='text/css' />\n", "$file-rtl" );
+		echo apply_filters( 'wp_admin_css', "<link rel='stylesheet' href='" . esc_url( wp_admin_css_uri( "$file-rtl" ) ) . "' type='text/css' />\n", "$file-rtl" );
 }
 /**
--- a/wp-includes/link-template.php
+++ b/wp-includes/link-template.php
@ -1315,7 +1315,7 @@ function get_next_posts_page_link($max_page = 0) {
 * @param boolean $echo Optional. Echo or return;
 */
 function next_posts( $max_page = 0, $echo = true ) {
-	$output = clean_url( get_next_posts_page_link( $max_page ) );
+	$output = esc_url( get_next_posts_page_link( $max_page ) );
 	if ( $echo )
 		echo $output;
@ -1393,7 +1393,7 @@ function get_previous_posts_page_link() {
 * @param boolean $echo Optional. Echo or return;
 */
 function previous_posts( $echo = true ) {
-	$output = clean_url( get_previous_posts_page_link() );
+	$output = esc_url( get_previous_posts_page_link() );
 	if ( $echo )
 		echo $output;
@ -1550,7 +1550,7 @@ function get_next_comments_link( $label = '', $max_page = 0 ) {
 	if ( empty($label) )
 		$label = __('Newer Comments &raquo;');
-	return '<a href="' . clean_url( get_comments_pagenum_link( $nextpage, $max_page ) ) . '" ' . apply_filters( 'next_comments_link_attributes', '' ) . '>'. preg_replace('/&([^#])(?![a-z]{1,8};)/', '&#038;$1', $label) .'</a>';
+	return '<a href="' . esc_url( get_comments_pagenum_link( $nextpage, $max_page ) ) . '" ' . apply_filters( 'next_comments_link_attributes', '' ) . '>'. preg_replace('/&([^#])(?![a-z]{1,8};)/', '&#038;$1', $label) .'</a>';
 }
 /**
@ -1587,7 +1587,7 @@ function get_previous_comments_link( $label = '' ) {
 	if ( empty($label) )
 		$label = __('&laquo; Older Comments');
-	return '<a href="' . clean_url( get_comments_pagenum_link( $prevpage ) ) . '" ' . apply_filters( 'previous_comments_link_attributes', '' ) . '>' . preg_replace('/&([^#])(?![a-z]{1,8};)/', '&#038;$1', $label) .'</a>';
+	return '<a href="' . esc_url( get_comments_pagenum_link( $prevpage ) ) . '" ' . apply_filters( 'previous_comments_link_attributes', '' ) . '>' . preg_replace('/&([^#])(?![a-z]{1,8};)/', '&#038;$1', $label) .'</a>';
 }
 /**
--- a/wp-includes/rss.php
+++ b/wp-includes/rss.php
@ -872,7 +872,7 @@ function wp_rss( $url, $num_items = -1 ) {
 		foreach ( (array) $rss->items as $item ) {
 			printf(
 				'<li><a href="%1$s" title="%2$s">%3$s</a></li>',
-				clean_url( $item['link'] ),
+				esc_url( $item['link'] ),
 				esc_attr( strip_tags( $item['description'] ) ),
 				htmlentities( $item['title'] )
 			);
--- a/wp-includes/theme.php
+++ b/wp-includes/theme.php
@ -185,7 +185,7 @@ function get_theme_data( $theme_file ) {
 		$name = $theme = '';
 	if ( preg_match( '|Theme URI:(.*)$|mi', $theme_data, $theme_uri ) )
-		$theme_uri = clean_url( _cleanup_header_comment($theme_uri[1]) );
+		$theme_uri = esc_url( _cleanup_header_comment($theme_uri[1]) );
 	else
 		$theme_uri = '';
@ -195,7 +195,7 @@ function get_theme_data( $theme_file ) {
 		$description = '';
 	if ( preg_match( '|Author URI:(.*)$|mi', $theme_data, $author_uri ) )
-		$author_uri = clean_url( _cleanup_header_comment($author_uri[1]) );
+		$author_uri = esc_url( _cleanup_header_comment($author_uri[1]) );
 	else
 		$author_uri = '';
--- a/wp-includes/update.php
+++ b/wp-includes/update.php
@ -67,9 +67,9 @@ function wp_version_check() {
 		$new_option = new stdClass();
 		$new_option->response = esc_attr( $returns[0] );
 		if ( isset( $returns[1] ) )
-			$new_option->url = clean_url( $returns[1] );
+			$new_option->url = esc_url( $returns[1] );
 		if ( isset( $returns[2] ) )
-			$new_option->package = clean_url( $returns[2] );
+			$new_option->package = esc_url( $returns[2] );
 		if ( isset( $returns[3] ) )
 			$new_option->current = esc_attr( $returns[3] );
 		if ( isset( $returns[4] ) )
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -15,6 +15,6 @@ $wp_version = '2.8-beta1-11380';
 *
 * @global int $wp_db_version
 */
-$wp_db_version = 10850;
+$wp_db_version = 10851;
 ?>