Opened 4 months ago
Last modified 4 months ago
#60864 new defect (bug)
URL sanitizing strips valid characters instead of encoding, documented use is invalid
| Reported by: |
kkmuffme
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | has-patch has-unit-tests |
| Focuses: | Cc: |
Description
- wp_sanitize_redirect creates different URL instead of correctly percent-encoding e.g. for URLs that contain "<" - followup to https://core.trac.wordpress.org/ticket/31486 where this was partially fixed
- sanitize_url is documented to sanitize for redirect usage but the URI is not valid for redirects since it's not percent-encoded - followup to https://core.trac.wordpress.org/ticket/56160
- esc_url and sanitize_url strip characters that don't need to be stripped but can be HTML encoded to make them safe, e.g. "<" causing some URLs to be broken.
Change History (4)
This ticket was mentioned in PR #6335 on WordPress/wordpress-develop by @kkmuffme.
4 months ago
#2
- Keywords has-patch has-unit-tests added
Trac ticket: https://core.trac.wordpress.org/ticket/60864
#3
@
4 months ago
Before I fix all the broken tests, I want to gather some feedback on this - the tests are broken because the characters were stripped instead of encoded, which caused some URLs to be invalid, leading to 404s.
This ticket was mentioned in Slack in #core by kkmuffme. View the logs.
4 months ago
Note: See
TracTickets for help on using
tickets.
#56160 was marked as a duplicate.