Upstream
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

General: Replace all `esc_url_raw()` calls in core with `sanitize_url()`. 

This aims to improve performance by calling `sanitize_url()` directly, instead of the `esc_url_raw()` wrapper. As of WordPress 6.1, `sanitize_url()` is the recommended function for sanitizing a URL for database or redirect usage.

Follow-up to [11383], [13096], [51597], [53452].

Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
Fixes #55852.
Built from https://develop.svn.wordpress.org/trunk@53455


git-svn-id: http://core.svn.wordpress.org/trunk@53044 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Sergey Biryukov 2022-06-01 18:14:10 +00:00
parent 3be126b751
commit 01d172b581
37 changed files with 79 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
wp-admin/edit-tag-form.php
View File

@ -83,7 +83,7 @@ if ( $message ) {
<div id="message" class="notice notice-<?php echo $class; ?>">
<p><strong><?php echo $message; ?></strong></p>
<?php if ( $wp_http_referer ) { ?>
<p><a href="<?php echo esc_url( wp_validate_redirect( esc_url_raw( $wp_http_referer ), admin_url( 'term.php?taxonomy=' . $taxonomy ) ) ); ?>">
<p><a href="<?php echo esc_url( wp_validate_redirect( sanitize_url( $wp_http_referer ), admin_url( 'term.php?taxonomy=' . $taxonomy ) ) ); ?>">
<?php echo esc_html( $tax->labels->back_to_items ); ?>
</a></p>
<?php } ?>

2
wp-admin/edit-tags.php
View File

@ -160,7 +160,7 @@ switch ( $wp_list_table->current_action() ) {
wp_die( __( 'You attempted to edit an item that does not exist. Perhaps it was deleted?' ) );
}
wp_redirect( esc_url_raw( get_edit_term_link( $term_id, $taxonomy, $post_type ) ) );
wp_redirect( sanitize_url( get_edit_term_link( $term_id, $taxonomy, $post_type ) ) );
exit;
case 'editedtag':

4
wp-admin/includes/ajax-actions.php
View File

@ -431,7 +431,7 @@ function _wp_ajax_delete_comment_response( $comment_id, $delta = -1 ) {
$total = isset( $_POST['_total'] ) ? (int) $_POST['_total'] : 0;
$per_page = isset( $_POST['_per_page'] ) ? (int) $_POST['_per_page'] : 0;
$page = isset( $_POST['_page'] ) ? (int) $_POST['_page'] : 0;
$url = isset( $_POST['_url'] ) ? esc_url_raw( $_POST['_url'] ) : '';
$url = isset( $_POST['_url'] ) ? sanitize_url( $_POST['_url'] ) : '';
// JS didn't send us everything we need to know. Just die with success message.
if ( ! $total || ! $per_page || ! $page || ! $url ) {
@ -3333,7 +3333,7 @@ function wp_ajax_send_link_to_editor() {
$src = 'http://' . $src;
}
$src = esc_url_raw( $src );
$src = sanitize_url( $src );
if ( ! $src ) {
wp_send_json_error();
}

8
wp-admin/includes/class-custom-background.php
View File

@ -526,10 +526,10 @@ class Custom_Background {
wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $file ) );
update_post_meta( $id, '_wp_attachment_is_custom_background', get_option( 'stylesheet' ) );
set_theme_mod( 'background_image', esc_url_raw( $url ) );
set_theme_mod( 'background_image', sanitize_url( $url ) );
$thumbnail = wp_get_attachment_image_src( $id, 'thumbnail' );
set_theme_mod( 'background_image_thumb', esc_url_raw( $thumbnail[0] ) );
set_theme_mod( 'background_image_thumb', sanitize_url( $thumbnail[0] ) );
/** This action is documented in wp-admin/includes/class-custom-image-header.php */
do_action( 'wp_create_file_in_uploads', $file, $id ); // For replication.
@ -618,8 +618,8 @@ class Custom_Background {
$url = wp_get_attachment_image_src( $attachment_id, $size );
$thumbnail = wp_get_attachment_image_src( $attachment_id, 'thumbnail' );
set_theme_mod( 'background_image', esc_url_raw( $url[0] ) );
set_theme_mod( 'background_image_thumb', esc_url_raw( $thumbnail[0] ) );
set_theme_mod( 'background_image', sanitize_url( $url[0] ) );
set_theme_mod( 'background_image_thumb', sanitize_url( $thumbnail[0] ) );
exit;
}
}

4
wp-admin/includes/class-custom-image-header.php
View File

@ -1159,7 +1159,7 @@ endif;
return;
}
$choice['url'] = esc_url_raw( $choice['url'] );
$choice['url'] = sanitize_url( $choice['url'] );
$header_image_data = (object) array(
'attachment_id' => $choice['attachment_id'],
@ -1197,7 +1197,7 @@ endif;
}
}
set_theme_mod( 'header_image', esc_url_raw( $header_image_data['url'] ) );
set_theme_mod( 'header_image', sanitize_url( $header_image_data['url'] ) );
set_theme_mod( 'header_image_data', $header_image_data );
}

2
wp-admin/includes/export.php
View File

@ -632,7 +632,7 @@ function export_wp( $args = array() ) {
<wp:comment_id><?php echo (int) $c->comment_ID; ?></wp:comment_id>
<wp:comment_author><?php echo wxr_cdata( $c->comment_author ); ?></wp:comment_author>
<wp:comment_author_email><?php echo wxr_cdata( $c->comment_author_email ); ?></wp:comment_author_email>
<wp:comment_author_url><?php echo esc_url_raw( $c->comment_author_url ); ?></wp:comment_author_url>
<wp:comment_author_url><?php echo sanitize_url( $c->comment_author_url ); ?></wp:comment_author_url>
<wp:comment_author_IP><?php echo wxr_cdata( $c->comment_author_IP ); ?></wp:comment_author_IP>
<wp:comment_date><?php echo wxr_cdata( $c->comment_date ); ?></wp:comment_date>
<wp:comment_date_gmt><?php echo wxr_cdata( $c->comment_date_gmt ); ?></wp:comment_date_gmt>

4
wp-admin/includes/media.php
View File

@ -917,7 +917,7 @@ function wp_media_upload_handler() {
* @param string $src Media source URL.
* @param string $title Media title.
*/
$html = apply_filters( "{$type}_send_to_editor_url", $html, esc_url_raw( $src ), $title );
$html = apply_filters( "{$type}_send_to_editor_url", $html, sanitize_url( $src ), $title );
} else {
$align = '';
$alt = esc_attr( wp_unslash( $_POST['alt'] ) );
@ -942,7 +942,7 @@ function wp_media_upload_handler() {
* @param string $align The image alignment. Default 'alignnone'. Possible values include
* 'alignleft', 'aligncenter', 'alignright', 'alignnone'.
*/
$html = apply_filters( 'image_send_to_editor_url', $html, esc_url_raw( $src ), $alt, $align );
$html = apply_filters( 'image_send_to_editor_url', $html, sanitize_url( $src ), $alt, $align );
}
return media_send_to_editor( $html );

2
wp-admin/includes/post.php
View File

@ -322,7 +322,7 @@ function edit_post( $post_data = null ) {
foreach ( $format_meta_urls as $format_meta_url ) {
$keyed = '_format_' . $format_meta_url;
if ( isset( $post_data[ $keyed ] ) ) {
update_post_meta( $post_ID, $keyed, wp_slash( esc_url_raw( wp_unslash( $post_data[ $keyed ] ) ) ) );
update_post_meta( $post_ID, $keyed, wp_slash( sanitize_url( wp_unslash( $post_data[ $keyed ] ) ) ) );
}
}

4
wp-admin/includes/privacy-tools.php
View File

@ -706,10 +706,10 @@ All at ###SITENAME###
$content = apply_filters( 'wp_privacy_personal_data_email_content', $email_text, $request_id, $email_data );
$content = str_replace( '###EXPIRATION###', $expiration_date, $content );
$content = str_replace( '###LINK###', esc_url_raw( $export_file_url ), $content );
$content = str_replace( '###LINK###', sanitize_url( $export_file_url ), $content );
$content = str_replace( '###EMAIL###', $request_email, $content );
$content = str_replace( '###SITENAME###', $site_name, $content );
$content = str_replace( '###SITEURL###', esc_url_raw( $site_url ), $content );
$content = str_replace( '###SITEURL###', sanitize_url( $site_url ), $content );
$headers = '';

2
wp-admin/includes/theme.php
View File

@ -712,7 +712,7 @@ function wp_prepare_themes_for_js( $themes = null ) {
$customize_action = esc_url(
add_query_arg(
array(
'return' => urlencode( esc_url_raw( remove_query_arg( wp_removable_query_args(), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ),
'return' => urlencode( sanitize_url( remove_query_arg( wp_removable_query_args(), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ),
),
wp_customize_url( $slug )
)

2
wp-admin/includes/user.php
View File

@ -84,7 +84,7 @@ function edit_user( $user_id = 0 ) {
if ( empty( $_POST['url'] ) || 'http://' === $_POST['url'] ) {
$user->user_url = '';
} else {
$user->user_url = esc_url_raw( $_POST['url'] );
$user->user_url = sanitize_url( $_POST['url'] );
$protocols = implode( '|', array_map( 'preg_quote', wp_allowed_protocols() ) );
$user->user_url = preg_match( '/^(' . $protocols . '):/is', $user->user_url ) ? $user->user_url : 'http://' . $user->user_url;
}

4
wp-admin/network/site-info.php
View File

@ -90,7 +90,7 @@ if ( isset( $_REQUEST['action'] ) && 'update-site' === $_REQUEST['action'] ) {
$old_home_parsed = parse_url( $old_home_url );
if ( $old_home_parsed['host'] === $existing_details->domain && $old_home_parsed['path'] === $existing_details->path ) {
$new_home_url = untrailingslashit( esc_url_raw( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) );
$new_home_url = untrailingslashit( sanitize_url( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) );
update_option( 'home', $new_home_url );
}
@ -98,7 +98,7 @@ if ( isset( $_REQUEST['action'] ) && 'update-site' === $_REQUEST['action'] ) {
$old_site_parsed = parse_url( $old_site_url );
if ( $old_site_parsed['host'] === $existing_details->domain && $old_site_parsed['path'] === $existing_details->path ) {
$new_site_url = untrailingslashit( esc_url_raw( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) );
$new_site_url = untrailingslashit( sanitize_url( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) );
update_option( 'siteurl', $new_site_url );
}

2
wp-admin/term.php
View File

@ -20,7 +20,7 @@ if ( empty( $_REQUEST['tag_ID'] ) ) {
$sendback = add_query_arg( 'post_type', get_current_screen()->post_type, $sendback );
}
wp_redirect( esc_url_raw( $sendback ) );
wp_redirect( sanitize_url( $sendback ) );
exit;
}

2
wp-admin/upgrade.php
View File

@ -133,7 +133,7 @@ else :
case 0:
$goback = wp_get_referer();
if ( $goback ) {
$goback = esc_url_raw( $goback );
$goback = sanitize_url( $goback );
$goback = urlencode( $goback );
}
?>

2
wp-admin/user-edit.php
View File

@ -209,7 +209,7 @@ switch ( $action ) {
<p><strong><?php _e( 'User updated.' ); ?></strong></p>
<?php endif; ?>
<?php if ( $wp_http_referer && false === strpos( $wp_http_referer, 'user-new.php' ) && ! IS_PROFILE_PAGE ) : ?>
<p><a href="<?php echo esc_url( wp_validate_redirect( esc_url_raw( $wp_http_referer ), self_admin_url( 'users.php' ) ) ); ?>"><?php _e( '&larr; Go to Users' ); ?></a></p>
<p><a href="<?php echo esc_url( wp_validate_redirect( sanitize_url( $wp_http_referer ), self_admin_url( 'users.php' ) ) ); ?>"><?php _e( '&larr; Go to Users' ); ?></a></p>
<?php endif; ?>
</div>
<?php endif; ?>

30
wp-includes/class-wp-customize-manager.php
View File

@ -2111,7 +2111,7 @@ final class WP_Customize_Manager {
$exported_setting_validities = array_map( array( $this, 'prepare_setting_validity_for_js' ), $setting_validities );
// Note that the REQUEST_URI is not passed into home_url() since this breaks subdirectory installations.
$self_url = empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) );
$self_url = empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : sanitize_url( wp_unslash( $_SERVER['REQUEST_URI'] ) );
$state_query_params = array(
'customize_theme',
'customize_changeset_uuid',
@ -2158,7 +2158,7 @@ final class WP_Customize_Manager {
),
'url' => array(
'self' => $self_url,
'allowed' => array_map( 'esc_url_raw', $this->get_allowed_urls() ),
'allowed' => array_map( 'sanitize_url', $this->get_allowed_urls() ),
'allowedHosts' => array_unique( $allowed_hosts ),
'isCrossDomain' => $this->is_cross_domain(),
),
@ -4574,7 +4574,7 @@ final class WP_Customize_Manager {
* @param string $preview_url URL to be previewed.
*/
public function set_preview_url( $preview_url ) {
$preview_url = esc_url_raw( $preview_url );
$preview_url = sanitize_url( $preview_url );
$this->preview_url = wp_validate_redirect( $preview_url, home_url( '/' ) );
}
@ -4662,7 +4662,7 @@ final class WP_Customize_Manager {
* @param string $return_url URL for return link.
*/
public function set_return_url( $return_url ) {
$return_url = esc_url_raw( $return_url );
$return_url = sanitize_url( $return_url );
$return_url = remove_query_arg( wp_removable_query_args(), $return_url );
$return_url = wp_validate_redirect( $return_url );
$this->return_url = $return_url;
@ -4894,15 +4894,15 @@ final class WP_Customize_Manager {
'_canInstall' => current_user_can( 'install_themes' ),
),
'url' => array(
'preview' => esc_url_raw( $this->get_preview_url() ),
'return' => esc_url_raw( $this->get_return_url() ),
'parent' => esc_url_raw( admin_url() ),
'activated' => esc_url_raw( home_url( '/' ) ),
'ajax' => esc_url_raw( admin_url( 'admin-ajax.php', 'relative' ) ),
'allowed' => array_map( 'esc_url_raw', $this->get_allowed_urls() ),
'preview' => sanitize_url( $this->get_preview_url() ),
'return' => sanitize_url( $this->get_return_url() ),
'parent' => sanitize_url( admin_url() ),
'activated' => sanitize_url( home_url( '/' ) ),
'ajax' => sanitize_url( admin_url( 'admin-ajax.php', 'relative' ) ),
'allowed' => array_map( 'sanitize_url', $this->get_allowed_urls() ),
'isCrossDomain' => $this->is_cross_domain(),
'home' => esc_url_raw( home_url( '/' ) ),
'login' => esc_url_raw( $login_url ),
'home' => sanitize_url( home_url( '/' ) ),
'login' => sanitize_url( $login_url ),
),
'browser' => array(
'mobile' => wp_is_mobile(),
@ -6006,7 +6006,7 @@ final class WP_Customize_Manager {
return new WP_Error( 'invalid_value', __( 'Invalid value for background size.' ) );
}
} elseif ( 'background_image' === $setting->id || 'background_image_thumb' === $setting->id ) {
$value = empty( $value ) ? '' : esc_url_raw( $value );
$value = empty( $value ) ? '' : sanitize_url( $value );
} else {
return new WP_Error( 'unrecognized_setting', __( 'Unrecognized background setting.' ) );
}
@ -6079,7 +6079,7 @@ final class WP_Customize_Manager {
* @return mixed
*/
public function _validate_external_header_video( $validity, $value ) {
$video = esc_url_raw( $value );
$video = sanitize_url( $value );
if ( $video ) {
if ( ! preg_match( '#^https?://(?:www\.)?(?:youtube\.com/watch|youtu\.be/)#', $video ) ) {
$validity->add( 'invalid_url', __( 'Please enter a valid YouTube URL.' ) );
@ -6097,7 +6097,7 @@ final class WP_Customize_Manager {
* @return string Sanitized URL.
*/
public function _sanitize_external_header_video( $value ) {
return esc_url_raw( trim( $value ) );
return sanitize_url( trim( $value ) );
}
/**

2
wp-includes/class-wp-theme.php
View File

@ -888,7 +888,7 @@ final class WP_Theme implements ArrayAccess {
break;
case 'ThemeURI':
case 'AuthorURI':
$value = esc_url_raw( $value );
$value = sanitize_url( $value );
break;
case 'Tags':
$value = array_filter( array_map( 'trim', explode( ',', strip_tags( $value ) ) ) );

2
wp-includes/customize/class-wp-customize-nav-menu-item-setting.php
View File

@ -726,7 +726,7 @@ class WP_Customize_Nav_Menu_Item_Setting extends WP_Customize_Setting {
$menu_item_value['description'] = wp_unslash( apply_filters( 'content_save_pre', wp_slash( $menu_item_value['description'] ) ) );
if ( '' !== $menu_item_value['url'] ) {
$menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] );
$menu_item_value['url'] = sanitize_url( $menu_item_value['url'] );
if ( '' === $menu_item_value['url'] ) {
return new WP_Error( 'invalid_url', __( 'Invalid URL.' ) ); // Fail sanitization if URL is invalid.
}

2
wp-includes/default-filters.php
View File

@ -72,7 +72,7 @@ foreach ( array(
'pre_post_guid',
) as $filter ) {
add_filter( $filter, 'wp_strip_all_tags' );
add_filter( $filter, 'esc_url_raw' );
add_filter( $filter, 'sanitize_url' );
add_filter( $filter, 'wp_filter_kses' );
}

2
wp-includes/deprecated.php
View File

@ -2041,7 +2041,7 @@ function get_link( $bookmark_id, $output = OBJECT, $filter = 'raw' ) {
*/
function clean_url( $url, $protocols = null, $context = 'display' ) {
if ( $context == 'db' )
_deprecated_function( 'clean_url( $context = \'db\' )', '3.0.0', 'esc_url_raw()' );
_deprecated_function( 'clean_url( $context = \'db\' )', '3.0.0', 'sanitize_url()' );
else
_deprecated_function( __FUNCTION__, '3.0.0', 'esc_url()' );
return esc_url( $url, $protocols, $context );

2
wp-includes/embed.php
View File

@ -426,7 +426,7 @@ function get_post_embed_url( $post = null ) {
* @param string $embed_url The post embed URL.
* @param WP_Post $post The corresponding post object.
*/
return esc_url_raw( apply_filters( 'post_embed_url', $embed_url, $post ) );
return sanitize_url( apply_filters( 'post_embed_url', $embed_url, $post ) );
}
/**

14
wp-includes/formatting.php
View File

@ -4354,7 +4354,7 @@ function esc_sql( $data ) {
* @param string $url The URL to be cleaned.
* @param string[] $protocols Optional. An array of acceptable protocols.
* Defaults to return value of wp_allowed_protocols().
* @param string $_context Private. Use esc_url_raw() for database usage.
* @param string $_context Private. Use sanitize_url() for database usage.
* @return string The cleaned URL after the {@see 'clean_url'} filter is applied.
* An empty string is returned if `$url` specifies a protocol other than
* those in `$protocols`, or if `$url` contains an empty string.
@ -4830,7 +4830,7 @@ function sanitize_option( $option, $value ) {
case 'ping_sites':
$value = explode( "\n", $value );
$value = array_filter( array_map( 'trim', $value ) );
$value = array_filter( array_map( 'esc_url_raw', $value ) );
$value = array_filter( array_map( 'sanitize_url', $value ) );
$value = implode( "\n", $value );
break;
@ -4844,7 +4844,7 @@ function sanitize_option( $option, $value ) {
$error = $value->get_error_message();
} else {
if ( preg_match( '#http(s?)://(.+)#i', $value ) ) {
$value = esc_url_raw( $value );
$value = sanitize_url( $value );
} else {
$error = __( 'The WordPress address you entered did not appear to be a valid URL. Please enter a valid URL.' );
}
@ -4857,7 +4857,7 @@ function sanitize_option( $option, $value ) {
$error = $value->get_error_message();
} else {
if ( preg_match( '#http(s?)://(.+)#i', $value ) ) {
$value = esc_url_raw( $value );
$value = sanitize_url( $value );
} else {
$error = __( 'The Site address you entered did not appear to be a valid URL. Please enter a valid URL.' );
}
@ -4929,7 +4929,7 @@ function sanitize_option( $option, $value ) {
if ( is_wp_error( $value ) ) {
$error = $value->get_error_message();
} else {
$value = esc_url_raw( $value );
$value = sanitize_url( $value );
$value = str_replace( 'http://', '', $value );
}
@ -5580,7 +5580,7 @@ function sanitize_trackback_urls( $to_ping ) {
unset( $urls_to_ping[ $k ] );
}
}
$urls_to_ping = array_map( 'esc_url_raw', $urls_to_ping );
$urls_to_ping = array_map( 'sanitize_url', $urls_to_ping );
$urls_to_ping = implode( "\n", $urls_to_ping );
/**
* Filters a list of trackback URLs following sanitization.
@ -5649,7 +5649,7 @@ function get_url_in_content( $content ) {
}
if ( preg_match( '/<a\s[^>]*?href=([\'"])(.+?)\1/is', $content, $matches ) ) {
return esc_url_raw( $matches[2] );
return sanitize_url( $matches[2] );
}
return false;

4
wp-includes/general-template.php
View File

@ -4759,10 +4759,10 @@ function get_the_generator( $type = '' ) {
$gen = '<generator uri="https://wordpress.org/" version="' . esc_attr( get_bloginfo_rss( 'version' ) ) . '">WordPress</generator>';
break;
case 'rss2':
$gen = '<generator>' . esc_url_raw( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '</generator>';
$gen = '<generator>' . sanitize_url( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '</generator>';
break;
case 'rdf':
$gen = '<admin:generatorAgent rdf:resource="' . esc_url_raw( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '" />';
$gen = '<admin:generatorAgent rdf:resource="' . sanitize_url( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '" />';
break;
case 'comment':
$gen = '<!-- generator="WordPress/' . esc_attr( get_bloginfo( 'version' ) ) . '" -->';

4
wp-includes/link-template.php
View File

@ -2343,7 +2343,7 @@ function adjacent_post_link( $format, $link, $in_same_term = false, $excluded_te
*
* @param int $pagenum Optional. Page number. Default 1.
* @param bool $escape Optional. Whether to escape the URL for display, with esc_url(). Defaults to true.
* Otherwise, prepares the URL with esc_url_raw().
* Otherwise, prepares the URL with sanitize_url().
* @return string The link URL for the given page number.
*/
function get_pagenum_link( $pagenum = 1, $escape = true ) {
@ -2410,7 +2410,7 @@ function get_pagenum_link( $pagenum = 1, $escape = true ) {
if ( $escape ) {
return esc_url( $result );
} else {
return esc_url_raw( $result );
return sanitize_url( $result );
}
}

2
wp-includes/ms-deprecated.php
View File

@ -378,7 +378,7 @@ function get_blogaddress_by_domain( $domain, $path ) {
$url = 'http://' . $domain . $path;
}
}
return esc_url_raw( $url );
return sanitize_url( $url );
}
/**

2
wp-includes/nav-menu.php
View File

@ -573,7 +573,7 @@ function wp_update_nav_menu_item( $menu_id = 0, $menu_item_db_id = 0, $menu_item
$args['menu-item-xfn'] = implode( ' ', array_map( 'sanitize_html_class', explode( ' ', $args['menu-item-xfn'] ) ) );
update_post_meta( $menu_item_db_id, '_menu_item_classes', $args['menu-item-classes'] );
update_post_meta( $menu_item_db_id, '_menu_item_xfn', $args['menu-item-xfn'] );
update_post_meta( $menu_item_db_id, '_menu_item_url', esc_url_raw( $args['menu-item-url'] ) );
update_post_meta( $menu_item_db_id, '_menu_item_url', sanitize_url( $args['menu-item-url'] ) );
if ( 0 == $menu_id ) {
update_post_meta( $menu_item_db_id, '_menu_item_orphaned', (string) time() );

8
wp-includes/rest-api.php
View File

@ -710,7 +710,7 @@ function rest_send_cors_headers( $value ) {
if ( $origin ) {
// Requests from file:// and data: URLs send "Origin: null".
if ( 'null' !== $origin ) {
$origin = esc_url_raw( $origin );
$origin = sanitize_url( $origin );
}
header( 'Access-Control-Allow-Origin: ' . $origin );
header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
@ -993,12 +993,12 @@ function rest_output_link_header() {
return;
}
header( sprintf( 'Link: <%s>; rel="https://api.w.org/"', esc_url_raw( $api_root ) ), false );
header( sprintf( 'Link: <%s>; rel="https://api.w.org/"', sanitize_url( $api_root ) ), false );
$resource = rest_get_queried_resource_route();
if ( $resource ) {
header( sprintf( 'Link: <%s>; rel="alternate"; type="application/json"', esc_url_raw( rest_url( $resource ) ) ), false );
header( sprintf( 'Link: <%s>; rel="alternate"; type="application/json"', sanitize_url( rest_url( $resource ) ) ), false );
}
}
@ -2795,7 +2795,7 @@ function rest_sanitize_value_from_schema( $value, $args, $param = '' ) {
return sanitize_text_field( $value );
case 'uri':
return esc_url_raw( $value );
return sanitize_url( $value );
case 'ip':
return sanitize_text_field( $value );

2
wp-includes/rest-api/class-wp-rest-server.php
View File

@ -284,7 +284,7 @@ class WP_REST_Server {
$api_root = get_rest_url();
if ( ! empty( $api_root ) ) {
$this->send_header( 'Link', '<' . esc_url_raw( $api_root ) . '>; rel="https://api.w.org/"' );
$this->send_header( 'Link', '<' . sanitize_url( $api_root ) . '>; rel="https://api.w.org/"' );
}
/*

2
wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php
View File

@ -860,7 +860,7 @@ class WP_REST_Menu_Items_Controller extends WP_REST_Posts_Controller {
return true;
}
if ( esc_url_raw( $url ) ) {
if ( sanitize_url( $url ) ) {
return true;
}

2
wp-includes/rest-api/endpoints/class-wp-rest-url-details-controller.php
View File

@ -45,7 +45,7 @@ class WP_REST_URL_Details_Controller extends WP_REST_Controller {
'required' => true,
'description' => __( 'The URL to process.' ),
'validate_callback' => 'wp_http_validate_url',
'sanitize_callback' => 'esc_url_raw',
'sanitize_callback' => 'sanitize_url',
'type' => 'string',
'format' => 'uri',
),

4
wp-includes/script-loader.php
View File

@ -337,7 +337,7 @@ function wp_default_packages_inline_scripts( $scripts ) {
'wp-api-fetch',
sprintf(
'wp.apiFetch.use( wp.apiFetch.createRootURLMiddleware( "%s" ) );',
esc_url_raw( get_rest_url() )
sanitize_url( get_rest_url() )
),
'after'
);
@ -750,7 +750,7 @@ function wp_default_scripts( $scripts ) {
'wp-api-request',
'wpApiSettings',
array(
'root' => esc_url_raw( get_rest_url() ),
'root' => sanitize_url( get_rest_url() ),
'nonce' => wp_installing() ? '' : wp_create_nonce( 'wp_rest' ),
'versionString' => 'wp/v2/',
)

10
wp-includes/theme.php
View File

@ -1179,7 +1179,7 @@ function get_header_image() {
$url = get_random_header_image();
}
return esc_url_raw( set_url_scheme( $url ) );
return sanitize_url( set_url_scheme( $url ) );
}
/**
@ -1428,7 +1428,7 @@ function get_uploaded_header_images() {
}
foreach ( (array) $headers as $header ) {
$url = esc_url_raw( wp_get_attachment_url( $header->ID ) );
$url = sanitize_url( wp_get_attachment_url( $header->ID ) );
$header_data = wp_get_attachment_metadata( $header->ID );
$header_index = $header->ID;
@ -1589,7 +1589,7 @@ function get_header_video_url() {
return false;
}
return esc_url_raw( set_url_scheme( $url ) );
return sanitize_url( set_url_scheme( $url ) );
}
/**
@ -1806,7 +1806,7 @@ function _custom_background_cb() {
$style = $color ? "background-color: #$color;" : '';
if ( $background ) {
$image = ' background-image: url("' . esc_url_raw( $background ) . '");';
$image = ' background-image: url("' . sanitize_url( $background ) . '");';
// Background Position.
$position_x = get_theme_mod( 'background_position_x', get_theme_support( 'custom-background', 'default-position-x' ) );
@ -2146,7 +2146,7 @@ function get_editor_stylesheets() {
// Support externally referenced styles (like, say, fonts).
foreach ( $editor_styles as $key => $file ) {
if ( preg_match( '~^(https?:)?//~', $file ) ) {
$stylesheets[] = esc_url_raw( $file );
$stylesheets[] = sanitize_url( $file );
unset( $editor_styles[ $key ] );
}
}

2
wp-includes/update.php
View File

@ -430,7 +430,7 @@ function wp_update_plugins( $extra_stats = array() ) {
continue;
}
$hostname = wp_parse_url( esc_url_raw( $plugin_data['UpdateURI'] ), PHP_URL_HOST );
$hostname = wp_parse_url( sanitize_url( $plugin_data['UpdateURI'] ), PHP_URL_HOST );
/**
* Filters the update response for a given plugin hostname.

10
wp-includes/user.php
View File

@ -4158,8 +4158,8 @@ All at ###SITENAME###
$content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
$content = str_replace( '###USER_EMAIL###', $email_data['user_email'], $content );
$content = str_replace( '###DESCRIPTION###', $email_data['description'], $content );
$content = str_replace( '###MANAGE_URL###', esc_url_raw( $email_data['manage_url'] ), $content );
$content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
$content = str_replace( '###MANAGE_URL###', sanitize_url( $email_data['manage_url'] ), $content );
$content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content );
$headers = '';
@ -4399,7 +4399,7 @@ All at ###SITENAME###
$content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
$content = str_replace( '###PRIVACY_POLICY_URL###', $email_data['privacy_policy_url'], $content );
$content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
$content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content );
$headers = '';
@ -4720,10 +4720,10 @@ All at ###SITENAME###
$content = apply_filters( 'user_request_action_email_content', $content, $email_data );
$content = str_replace( '###DESCRIPTION###', $email_data['description'], $content );
$content = str_replace( '###CONFIRM_URL###', esc_url_raw( $email_data['confirm_url'] ), $content );
$content = str_replace( '###CONFIRM_URL###', sanitize_url( $email_data['confirm_url'] ), $content );
$content = str_replace( '###EMAIL###', $email_data['email'], $content );
$content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
$content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
$content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content );
$headers = '';

2
wp-includes/version.php
View File

@ -16,7 +16,7 @@
*
* @global string $wp_version
*/
$wp_version = '6.1-alpha-53454';
$wp_version = '6.1-alpha-53455';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

2
wp-includes/widgets.php
View File

@ -1767,7 +1767,7 @@ function wp_widget_rss_process( $widget_rss, $check_feed = true ) {
if ( $items < 1 || 20 < $items ) {
$items = 10;
}
$url = esc_url_raw( strip_tags( $widget_rss['url'] ) );
$url = sanitize_url( strip_tags( $widget_rss['url'] ) );
$title = isset( $widget_rss['title'] ) ? trim( strip_tags( $widget_rss['title'] ) ) : '';
$show_summary = isset( $widget_rss['show_summary'] ) ? (int) $widget_rss['show_summary'] : 0;
$show_author = isset( $widget_rss['show_author'] ) ? (int) $widget_rss['show_author'] : 0;

2
wp-login.php
View File

@ -360,7 +360,7 @@ function login_footer( $input_id = '' ) {
<?php } ?>
<?php if ( isset( $_GET['redirect_to'] ) && '' !== $_GET['redirect_to'] ) { ?>
<input type="hidden" name="redirect_to" value="<?php echo esc_url_raw( $_GET['redirect_to'] ); ?>" />
<input type="hidden" name="redirect_to" value="<?php echo sanitize_url( $_GET['redirect_to'] ); ?>" />
<?php } ?>
<?php if ( isset( $_GET['action'] ) && '' !== $_GET['action'] ) { ?>