URL escaping added in 'about.php' file

[monzuralam]

File path: src/wp-admin/about.php

Here URL escaping is missing ( Line: 519, 530 ) without any escaping.

But in the same file use, proper escaping is used ( Line: 219 ) esc_url is used to escape the URL properly.

We need to do the same too.

Thanks.

Trac ticket: 57042

[audrasjb]

Moving this to milestone 6.1.1 since it wouldn't make much sense to fix it in the next major as the about page content will be replaced.

Not sure this is something worth to be fixed in a minor, though, as polyglots who can edit those links are trusted contributors (they have General Translation Editor permissions). But it wouldn't hurt :)

[audrasjb]

I also added a question in the above PR.

[desrosj]

Changes have been requested on the pull request. But, it looks like it's fairly mixed throughout the code base for passing translated URLs through esc_url().

• There are currently 122 instances of __( 'https:// in Core (excluding bundled themes).
• 24 of them are passed through esc_url().

My recommended course of action is:

• Closing this as a wontfix as the current code matches the majority of occurrences in Core today.
• Opening a new ticket to confirm the correct way to handle these scenarios (which I am assuming will follow the "Core translations are trusted" policy)
• Use that new ticket to correct all instances at once.

[audrasjb]

+1, that totally make sense to me.

[peterwilsoncc]

I agree this can be closed without a fix.

While the intent is good, the escaping functions are only needed for user input. As the URL is hard coded in this instance, escaping isn't required.

It's a nuanced point and I realise that the inconsistently in WordPress contributes to the confusion, so I really appreciate your taking the time to open the ticket @monzuralam

Closing as the Trac ticket this was meant to address has been closed as wontfix.