WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Formatting: Make `sanitize_url()` the recommended function for sanitizing a URL. 

A general security rule is "Sanitize when you save, escape when you echo".

In WordPress 5.9, `sanitize_url()` was un-deprecated in order to better align with the naming of other sanitizing functions, while still being an alias for `esc_url_raw()`.

This commit reverses the order and turns `esc_url_raw()` into a wrapper for `sanitize_url()`, making the latter the canonical function call and aiming to improve performance by reducing the number of function calls required when using the recommended technique.

Follow-up to [11383], [13096], [51597].

Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
See #55852.
Built from https://develop.svn.wordpress.org/trunk@53452


git-svn-id: http://core.svn.wordpress.org/trunk@53041 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Sergey Biryukov 2022-05-31 15:17:14 +00:00
parent 9268ef9788
commit d0712f35d4
2 changed files with 24 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
wp-includes/formatting.php
View File

@ -4458,9 +4458,30 @@ function esc_url( $url, $protocols = null, $_context = 'display' ) {
} }
/** /**
* Performs esc_url() for database or redirect usage. * Sanitizes a URL for database or redirect usage.
*
* This function is an alias for sanitize_url().
* *
* @since 2.8.0 * @since 2.8.0
* @since 6.1.0 Turned into an alias for sanitize_url().
*
* @see sanitize_url()
*
* @param string $url The URL to be cleaned.
* @param string[] $protocols Optional. An array of acceptable protocols.
* Defaults to return value of wp_allowed_protocols().
* @return string The cleaned URL after sanitize_url() is run.
*/
function esc_url_raw( $url, $protocols = null ) {
return sanitize_url( $url, $protocols );
}
/**
* Sanitizes a URL for database or redirect usage.
*
* @since 2.3.1
* @since 2.8.0 Deprecated in favor of esc_url_raw().
* @since 5.9.0 Restored (un-deprecated).
* *
* @see esc_url() * @see esc_url()
* *
@ -4469,28 +4490,8 @@ function esc_url( $url, $protocols = null, $_context = 'display' ) {
* Defaults to return value of wp_allowed_protocols(). * Defaults to return value of wp_allowed_protocols().
* @return string The cleaned URL after esc_url() is run with the 'db' context. * @return string The cleaned URL after esc_url() is run with the 'db' context.
*/ */
function esc_url_raw( $url, $protocols = null ) {
return esc_url( $url, $protocols, 'db' );
}
/**
* Performs esc_url() for database or redirect usage.
*
* This function is an alias for esc_url_raw().
*
* @since 2.3.1
* @since 2.8.0 Deprecated in favor of esc_url_raw().
* @since 5.9.0 Restored (un-deprecated).
*
* @see esc_url_raw()
*
* @param string $url The URL to be cleaned.
* @param string[] $protocols Optional. An array of acceptable protocols.
* Defaults to return value of wp_allowed_protocols().
* @return string The cleaned URL after esc_url() is run with the 'db' context.
*/
function sanitize_url( $url, $protocols = null ) { function sanitize_url( $url, $protocols = null ) {
return esc_url_raw( $url, $protocols ); return esc_url( $url, $protocols, 'db' );
} }
/** /**

2
wp-includes/version.php
View File

@ -16,7 +16,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '6.1-alpha-53451'; $wp_version = '6.1-alpha-53452';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.