From d0712f35d4ae1e9fc4e5e3b49f1e0d61ca8eded2 Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Tue, 31 May 2022 15:17:14 +0000 Subject: [PATCH] Formatting: Make `sanitize_url()` the recommended function for sanitizing a URL. A general security rule is "Sanitize when you save, escape when you echo". In WordPress 5.9, `sanitize_url()` was un-deprecated in order to better align with the naming of other sanitizing functions, while still being an alias for `esc_url_raw()`. This commit reverses the order and turns `esc_url_raw()` into a wrapper for `sanitize_url()`, making the latter the canonical function call and aiming to improve performance by reducing the number of function calls required when using the recommended technique. Follow-up to [11383], [13096], [51597]. Props benjgrolleau, peterwilsoncc, SergeyBiryukov. See #55852. Built from https://develop.svn.wordpress.org/trunk@53452 git-svn-id: http://core.svn.wordpress.org/trunk@53041 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/formatting.php | 45 +++++++++++++++++++------------------- wp-includes/version.php | 2 +- 2 files changed, 24 insertions(+), 23 deletions(-) diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index 06e0f26aae..b8701c5822 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -4458,9 +4458,30 @@ function esc_url( $url, $protocols = null, $_context = 'display' ) { } /** - * Performs esc_url() for database or redirect usage. + * Sanitizes a URL for database or redirect usage. + * + * This function is an alias for sanitize_url(). * * @since 2.8.0 + * @since 6.1.0 Turned into an alias for sanitize_url(). + * + * @see sanitize_url() + * + * @param string $url The URL to be cleaned. + * @param string[] $protocols Optional. An array of acceptable protocols. + * Defaults to return value of wp_allowed_protocols(). + * @return string The cleaned URL after sanitize_url() is run. + */ +function esc_url_raw( $url, $protocols = null ) { + return sanitize_url( $url, $protocols ); +} + +/** + * Sanitizes a URL for database or redirect usage. + * + * @since 2.3.1 + * @since 2.8.0 Deprecated in favor of esc_url_raw(). + * @since 5.9.0 Restored (un-deprecated). * * @see esc_url() * @@ -4469,28 +4490,8 @@ function esc_url( $url, $protocols = null, $_context = 'display' ) { * Defaults to return value of wp_allowed_protocols(). * @return string The cleaned URL after esc_url() is run with the 'db' context. */ -function esc_url_raw( $url, $protocols = null ) { - return esc_url( $url, $protocols, 'db' ); -} - -/** - * Performs esc_url() for database or redirect usage. - * - * This function is an alias for esc_url_raw(). - * - * @since 2.3.1 - * @since 2.8.0 Deprecated in favor of esc_url_raw(). - * @since 5.9.0 Restored (un-deprecated). - * - * @see esc_url_raw() - * - * @param string $url The URL to be cleaned. - * @param string[] $protocols Optional. An array of acceptable protocols. - * Defaults to return value of wp_allowed_protocols(). - * @return string The cleaned URL after esc_url() is run with the 'db' context. - */ function sanitize_url( $url, $protocols = null ) { - return esc_url_raw( $url, $protocols ); + return esc_url( $url, $protocols, 'db' ); } /** diff --git a/wp-includes/version.php b/wp-includes/version.php index 47e8f8a224..08b19ddeb4 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.1-alpha-53451'; +$wp_version = '6.1-alpha-53452'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.