Formatting: Make `sanitize_url()` the recommended function for sanitizing a URL.

A general security rule is "Sanitize when you save, escape when you echo". In WordPress 5.9, `sanitize_url()` was un-deprecated in order to better align with the naming of other sanitizing functions, while still being an alias for `esc_url_raw()`. This commit reverses the order and turns `esc_url_raw()` into a wrapper for `sanitize_url()`, making the latter the canonical function call and aiming to improve performance by reducing the number of function calls required when using the recommended technique. Follow-up to [11383], [13096], [51597]. Props benjgrolleau, peterwilsoncc, SergeyBiryukov. See #55852. Built from https://develop.svn.wordpress.org/trunk@53452 git-svn-id: http://core.svn.wordpress.org/trunk@53041 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-05-31 15:17:14 +00:00 · 2022-05-31 15:17:14 +00:00 · d0712f35d4
parent 9268ef9788
commit d0712f35d4
2 changed files with 24 additions and 23 deletions
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@ -4458,9 +4458,30 @@ function esc_url( $url, $protocols = null, $_context = 'display' ) {
 }

 /**
- * Performs esc_url() for database or redirect usage.
+ * Sanitizes a URL for database or redirect usage.
+ *
+ * This function is an alias for sanitize_url().
 *
 * @since 2.8.0
+ * @since 6.1.0 Turned into an alias for sanitize_url().
+ *
+ * @see sanitize_url()
+ *
+ * @param string   $url       The URL to be cleaned.
+ * @param string[] $protocols Optional. An array of acceptable protocols.
+ *                            Defaults to return value of wp_allowed_protocols().
+ * @return string The cleaned URL after sanitize_url() is run.
+ */
+function esc_url_raw( $url, $protocols = null ) {
+	return sanitize_url( $url, $protocols );
+}
+
+/**
+ * Sanitizes a URL for database or redirect usage.
+ *
+ * @since 2.3.1
+ * @since 2.8.0 Deprecated in favor of esc_url_raw().
+ * @since 5.9.0 Restored (un-deprecated).
 *
 * @see esc_url()
 *
@ -4469,28 +4490,8 @@ function esc_url( $url, $protocols = null, $_context = 'display' ) {
 *                            Defaults to return value of wp_allowed_protocols().
 * @return string The cleaned URL after esc_url() is run with the 'db' context.
 */
-function esc_url_raw( $url, $protocols = null ) {
-	return esc_url( $url, $protocols, 'db' );
-}
-
-/**
- * Performs esc_url() for database or redirect usage.
- *
- * This function is an alias for esc_url_raw().
- *
- * @since 2.3.1
- * @since 2.8.0 Deprecated in favor of esc_url_raw().
- * @since 5.9.0 Restored (un-deprecated).
- *
- * @see esc_url_raw()
- *
- * @param string   $url       The URL to be cleaned.
- * @param string[] $protocols Optional. An array of acceptable protocols.
- *                            Defaults to return value of wp_allowed_protocols().
- * @return string The cleaned URL after esc_url() is run with the 'db' context.
- */
 function sanitize_url( $url, $protocols = null ) {
-	return esc_url_raw( $url, $protocols );
+	return esc_url( $url, $protocols, 'db' );
 }

 /**
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '6.1-alpha-53451';
+$wp_version = '6.1-alpha-53452';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.