From 01d172b5811f638690d20ef292e2a52213c8084a Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Wed, 1 Jun 2022 18:14:10 +0000 Subject: [PATCH] General: Replace all `esc_url_raw()` calls in core with `sanitize_url()`. This aims to improve performance by calling `sanitize_url()` directly, instead of the `esc_url_raw()` wrapper. As of WordPress 6.1, `sanitize_url()` is the recommended function for sanitizing a URL for database or redirect usage. Follow-up to [11383], [13096], [51597], [53452]. Props benjgrolleau, peterwilsoncc, SergeyBiryukov. Fixes #55852. Built from https://develop.svn.wordpress.org/trunk@53455 git-svn-id: http://core.svn.wordpress.org/trunk@53044 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/edit-tag-form.php | 2 +- wp-admin/edit-tags.php | 2 +- wp-admin/includes/ajax-actions.php | 4 +-- wp-admin/includes/class-custom-background.php | 8 ++--- .../includes/class-custom-image-header.php | 4 +-- wp-admin/includes/export.php | 2 +- wp-admin/includes/media.php | 4 +-- wp-admin/includes/post.php | 2 +- wp-admin/includes/privacy-tools.php | 4 +-- wp-admin/includes/theme.php | 2 +- wp-admin/includes/user.php | 2 +- wp-admin/network/site-info.php | 4 +-- wp-admin/term.php | 2 +- wp-admin/upgrade.php | 2 +- wp-admin/user-edit.php | 2 +- wp-includes/class-wp-customize-manager.php | 30 +++++++++---------- wp-includes/class-wp-theme.php | 2 +- ...ass-wp-customize-nav-menu-item-setting.php | 2 +- wp-includes/default-filters.php | 2 +- wp-includes/deprecated.php | 2 +- wp-includes/embed.php | 2 +- wp-includes/formatting.php | 14 ++++----- wp-includes/general-template.php | 4 +-- wp-includes/link-template.php | 4 +-- wp-includes/ms-deprecated.php | 2 +- wp-includes/nav-menu.php | 2 +- wp-includes/rest-api.php | 8 ++--- wp-includes/rest-api/class-wp-rest-server.php | 2 +- .../class-wp-rest-menu-items-controller.php | 2 +- .../class-wp-rest-url-details-controller.php | 2 +- wp-includes/script-loader.php | 4 +-- wp-includes/theme.php | 10 +++---- wp-includes/update.php | 2 +- wp-includes/user.php | 10 +++---- wp-includes/version.php | 2 +- wp-includes/widgets.php | 2 +- wp-login.php | 2 +- 37 files changed, 79 insertions(+), 79 deletions(-) diff --git a/wp-admin/edit-tag-form.php b/wp-admin/edit-tag-form.php index d0d8f4af5e..7c22cf471d 100644 --- a/wp-admin/edit-tag-form.php +++ b/wp-admin/edit-tag-form.php @@ -83,7 +83,7 @@ if ( $message ) {

-

+

labels->back_to_items ); ?>

diff --git a/wp-admin/edit-tags.php b/wp-admin/edit-tags.php index c0bd5b2e35..3111c51069 100644 --- a/wp-admin/edit-tags.php +++ b/wp-admin/edit-tags.php @@ -160,7 +160,7 @@ switch ( $wp_list_table->current_action() ) { wp_die( __( 'You attempted to edit an item that does not exist. Perhaps it was deleted?' ) ); } - wp_redirect( esc_url_raw( get_edit_term_link( $term_id, $taxonomy, $post_type ) ) ); + wp_redirect( sanitize_url( get_edit_term_link( $term_id, $taxonomy, $post_type ) ) ); exit; case 'editedtag': diff --git a/wp-admin/includes/ajax-actions.php b/wp-admin/includes/ajax-actions.php index e39739883e..1714302437 100644 --- a/wp-admin/includes/ajax-actions.php +++ b/wp-admin/includes/ajax-actions.php @@ -431,7 +431,7 @@ function _wp_ajax_delete_comment_response( $comment_id, $delta = -1 ) { $total = isset( $_POST['_total'] ) ? (int) $_POST['_total'] : 0; $per_page = isset( $_POST['_per_page'] ) ? (int) $_POST['_per_page'] : 0; $page = isset( $_POST['_page'] ) ? (int) $_POST['_page'] : 0; - $url = isset( $_POST['_url'] ) ? esc_url_raw( $_POST['_url'] ) : ''; + $url = isset( $_POST['_url'] ) ? sanitize_url( $_POST['_url'] ) : ''; // JS didn't send us everything we need to know. Just die with success message. if ( ! $total || ! $per_page || ! $page || ! $url ) { @@ -3333,7 +3333,7 @@ function wp_ajax_send_link_to_editor() { $src = 'http://' . $src; } - $src = esc_url_raw( $src ); + $src = sanitize_url( $src ); if ( ! $src ) { wp_send_json_error(); } diff --git a/wp-admin/includes/class-custom-background.php b/wp-admin/includes/class-custom-background.php index df246313f4..3cb560237c 100644 --- a/wp-admin/includes/class-custom-background.php +++ b/wp-admin/includes/class-custom-background.php @@ -526,10 +526,10 @@ class Custom_Background { wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $file ) ); update_post_meta( $id, '_wp_attachment_is_custom_background', get_option( 'stylesheet' ) ); - set_theme_mod( 'background_image', esc_url_raw( $url ) ); + set_theme_mod( 'background_image', sanitize_url( $url ) ); $thumbnail = wp_get_attachment_image_src( $id, 'thumbnail' ); - set_theme_mod( 'background_image_thumb', esc_url_raw( $thumbnail[0] ) ); + set_theme_mod( 'background_image_thumb', sanitize_url( $thumbnail[0] ) ); /** This action is documented in wp-admin/includes/class-custom-image-header.php */ do_action( 'wp_create_file_in_uploads', $file, $id ); // For replication. @@ -618,8 +618,8 @@ class Custom_Background { $url = wp_get_attachment_image_src( $attachment_id, $size ); $thumbnail = wp_get_attachment_image_src( $attachment_id, 'thumbnail' ); - set_theme_mod( 'background_image', esc_url_raw( $url[0] ) ); - set_theme_mod( 'background_image_thumb', esc_url_raw( $thumbnail[0] ) ); + set_theme_mod( 'background_image', sanitize_url( $url[0] ) ); + set_theme_mod( 'background_image_thumb', sanitize_url( $thumbnail[0] ) ); exit; } } diff --git a/wp-admin/includes/class-custom-image-header.php b/wp-admin/includes/class-custom-image-header.php index c5efc071e1..ffad8879bb 100644 --- a/wp-admin/includes/class-custom-image-header.php +++ b/wp-admin/includes/class-custom-image-header.php @@ -1159,7 +1159,7 @@ endif; return; } - $choice['url'] = esc_url_raw( $choice['url'] ); + $choice['url'] = sanitize_url( $choice['url'] ); $header_image_data = (object) array( 'attachment_id' => $choice['attachment_id'], @@ -1197,7 +1197,7 @@ endif; } } - set_theme_mod( 'header_image', esc_url_raw( $header_image_data['url'] ) ); + set_theme_mod( 'header_image', sanitize_url( $header_image_data['url'] ) ); set_theme_mod( 'header_image_data', $header_image_data ); } diff --git a/wp-admin/includes/export.php b/wp-admin/includes/export.php index 852f7d54ad..14e21dce38 100644 --- a/wp-admin/includes/export.php +++ b/wp-admin/includes/export.php @@ -632,7 +632,7 @@ function export_wp( $args = array() ) { comment_ID; ?> comment_author ); ?> comment_author_email ); ?> - comment_author_url ); ?> + comment_author_url ); ?> comment_author_IP ); ?> comment_date ); ?> comment_date_gmt ); ?> diff --git a/wp-admin/includes/media.php b/wp-admin/includes/media.php index 95a29d5e52..56825012f0 100644 --- a/wp-admin/includes/media.php +++ b/wp-admin/includes/media.php @@ -917,7 +917,7 @@ function wp_media_upload_handler() { * @param string $src Media source URL. * @param string $title Media title. */ - $html = apply_filters( "{$type}_send_to_editor_url", $html, esc_url_raw( $src ), $title ); + $html = apply_filters( "{$type}_send_to_editor_url", $html, sanitize_url( $src ), $title ); } else { $align = ''; $alt = esc_attr( wp_unslash( $_POST['alt'] ) ); @@ -942,7 +942,7 @@ function wp_media_upload_handler() { * @param string $align The image alignment. Default 'alignnone'. Possible values include * 'alignleft', 'aligncenter', 'alignright', 'alignnone'. */ - $html = apply_filters( 'image_send_to_editor_url', $html, esc_url_raw( $src ), $alt, $align ); + $html = apply_filters( 'image_send_to_editor_url', $html, sanitize_url( $src ), $alt, $align ); } return media_send_to_editor( $html ); diff --git a/wp-admin/includes/post.php b/wp-admin/includes/post.php index 6621d8e090..a4dd6a0519 100644 --- a/wp-admin/includes/post.php +++ b/wp-admin/includes/post.php @@ -322,7 +322,7 @@ function edit_post( $post_data = null ) { foreach ( $format_meta_urls as $format_meta_url ) { $keyed = '_format_' . $format_meta_url; if ( isset( $post_data[ $keyed ] ) ) { - update_post_meta( $post_ID, $keyed, wp_slash( esc_url_raw( wp_unslash( $post_data[ $keyed ] ) ) ) ); + update_post_meta( $post_ID, $keyed, wp_slash( sanitize_url( wp_unslash( $post_data[ $keyed ] ) ) ) ); } } diff --git a/wp-admin/includes/privacy-tools.php b/wp-admin/includes/privacy-tools.php index 8b78752a85..f974ea8a5d 100644 --- a/wp-admin/includes/privacy-tools.php +++ b/wp-admin/includes/privacy-tools.php @@ -706,10 +706,10 @@ All at ###SITENAME### $content = apply_filters( 'wp_privacy_personal_data_email_content', $email_text, $request_id, $email_data ); $content = str_replace( '###EXPIRATION###', $expiration_date, $content ); - $content = str_replace( '###LINK###', esc_url_raw( $export_file_url ), $content ); + $content = str_replace( '###LINK###', sanitize_url( $export_file_url ), $content ); $content = str_replace( '###EMAIL###', $request_email, $content ); $content = str_replace( '###SITENAME###', $site_name, $content ); - $content = str_replace( '###SITEURL###', esc_url_raw( $site_url ), $content ); + $content = str_replace( '###SITEURL###', sanitize_url( $site_url ), $content ); $headers = ''; diff --git a/wp-admin/includes/theme.php b/wp-admin/includes/theme.php index 3886a8eeff..177eb44cf9 100644 --- a/wp-admin/includes/theme.php +++ b/wp-admin/includes/theme.php @@ -712,7 +712,7 @@ function wp_prepare_themes_for_js( $themes = null ) { $customize_action = esc_url( add_query_arg( array( - 'return' => urlencode( esc_url_raw( remove_query_arg( wp_removable_query_args(), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ), + 'return' => urlencode( sanitize_url( remove_query_arg( wp_removable_query_args(), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ), ), wp_customize_url( $slug ) ) diff --git a/wp-admin/includes/user.php b/wp-admin/includes/user.php index 64b91fce19..ed6a91a4e2 100644 --- a/wp-admin/includes/user.php +++ b/wp-admin/includes/user.php @@ -84,7 +84,7 @@ function edit_user( $user_id = 0 ) { if ( empty( $_POST['url'] ) || 'http://' === $_POST['url'] ) { $user->user_url = ''; } else { - $user->user_url = esc_url_raw( $_POST['url'] ); + $user->user_url = sanitize_url( $_POST['url'] ); $protocols = implode( '|', array_map( 'preg_quote', wp_allowed_protocols() ) ); $user->user_url = preg_match( '/^(' . $protocols . '):/is', $user->user_url ) ? $user->user_url : 'http://' . $user->user_url; } diff --git a/wp-admin/network/site-info.php b/wp-admin/network/site-info.php index b99f35ab20..8cad4ead2a 100644 --- a/wp-admin/network/site-info.php +++ b/wp-admin/network/site-info.php @@ -90,7 +90,7 @@ if ( isset( $_REQUEST['action'] ) && 'update-site' === $_REQUEST['action'] ) { $old_home_parsed = parse_url( $old_home_url ); if ( $old_home_parsed['host'] === $existing_details->domain && $old_home_parsed['path'] === $existing_details->path ) { - $new_home_url = untrailingslashit( esc_url_raw( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) ); + $new_home_url = untrailingslashit( sanitize_url( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) ); update_option( 'home', $new_home_url ); } @@ -98,7 +98,7 @@ if ( isset( $_REQUEST['action'] ) && 'update-site' === $_REQUEST['action'] ) { $old_site_parsed = parse_url( $old_site_url ); if ( $old_site_parsed['host'] === $existing_details->domain && $old_site_parsed['path'] === $existing_details->path ) { - $new_site_url = untrailingslashit( esc_url_raw( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) ); + $new_site_url = untrailingslashit( sanitize_url( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) ); update_option( 'siteurl', $new_site_url ); } diff --git a/wp-admin/term.php b/wp-admin/term.php index 55d1a7eb94..4d29b5d996 100644 --- a/wp-admin/term.php +++ b/wp-admin/term.php @@ -20,7 +20,7 @@ if ( empty( $_REQUEST['tag_ID'] ) ) { $sendback = add_query_arg( 'post_type', get_current_screen()->post_type, $sendback ); } - wp_redirect( esc_url_raw( $sendback ) ); + wp_redirect( sanitize_url( $sendback ) ); exit; } diff --git a/wp-admin/upgrade.php b/wp-admin/upgrade.php index e816c69d0b..1b1565aa45 100644 --- a/wp-admin/upgrade.php +++ b/wp-admin/upgrade.php @@ -133,7 +133,7 @@ else : case 0: $goback = wp_get_referer(); if ( $goback ) { - $goback = esc_url_raw( $goback ); + $goback = sanitize_url( $goback ); $goback = urlencode( $goback ); } ?> diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php index c2e9e0c3a7..49faa4e22b 100644 --- a/wp-admin/user-edit.php +++ b/wp-admin/user-edit.php @@ -209,7 +209,7 @@ switch ( $action ) {

-

+

diff --git a/wp-includes/class-wp-customize-manager.php b/wp-includes/class-wp-customize-manager.php index 03732ca08a..7809608e69 100644 --- a/wp-includes/class-wp-customize-manager.php +++ b/wp-includes/class-wp-customize-manager.php @@ -2111,7 +2111,7 @@ final class WP_Customize_Manager { $exported_setting_validities = array_map( array( $this, 'prepare_setting_validity_for_js' ), $setting_validities ); // Note that the REQUEST_URI is not passed into home_url() since this breaks subdirectory installations. - $self_url = empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ); + $self_url = empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : sanitize_url( wp_unslash( $_SERVER['REQUEST_URI'] ) ); $state_query_params = array( 'customize_theme', 'customize_changeset_uuid', @@ -2158,7 +2158,7 @@ final class WP_Customize_Manager { ), 'url' => array( 'self' => $self_url, - 'allowed' => array_map( 'esc_url_raw', $this->get_allowed_urls() ), + 'allowed' => array_map( 'sanitize_url', $this->get_allowed_urls() ), 'allowedHosts' => array_unique( $allowed_hosts ), 'isCrossDomain' => $this->is_cross_domain(), ), @@ -4574,7 +4574,7 @@ final class WP_Customize_Manager { * @param string $preview_url URL to be previewed. */ public function set_preview_url( $preview_url ) { - $preview_url = esc_url_raw( $preview_url ); + $preview_url = sanitize_url( $preview_url ); $this->preview_url = wp_validate_redirect( $preview_url, home_url( '/' ) ); } @@ -4662,7 +4662,7 @@ final class WP_Customize_Manager { * @param string $return_url URL for return link. */ public function set_return_url( $return_url ) { - $return_url = esc_url_raw( $return_url ); + $return_url = sanitize_url( $return_url ); $return_url = remove_query_arg( wp_removable_query_args(), $return_url ); $return_url = wp_validate_redirect( $return_url ); $this->return_url = $return_url; @@ -4894,15 +4894,15 @@ final class WP_Customize_Manager { '_canInstall' => current_user_can( 'install_themes' ), ), 'url' => array( - 'preview' => esc_url_raw( $this->get_preview_url() ), - 'return' => esc_url_raw( $this->get_return_url() ), - 'parent' => esc_url_raw( admin_url() ), - 'activated' => esc_url_raw( home_url( '/' ) ), - 'ajax' => esc_url_raw( admin_url( 'admin-ajax.php', 'relative' ) ), - 'allowed' => array_map( 'esc_url_raw', $this->get_allowed_urls() ), + 'preview' => sanitize_url( $this->get_preview_url() ), + 'return' => sanitize_url( $this->get_return_url() ), + 'parent' => sanitize_url( admin_url() ), + 'activated' => sanitize_url( home_url( '/' ) ), + 'ajax' => sanitize_url( admin_url( 'admin-ajax.php', 'relative' ) ), + 'allowed' => array_map( 'sanitize_url', $this->get_allowed_urls() ), 'isCrossDomain' => $this->is_cross_domain(), - 'home' => esc_url_raw( home_url( '/' ) ), - 'login' => esc_url_raw( $login_url ), + 'home' => sanitize_url( home_url( '/' ) ), + 'login' => sanitize_url( $login_url ), ), 'browser' => array( 'mobile' => wp_is_mobile(), @@ -6006,7 +6006,7 @@ final class WP_Customize_Manager { return new WP_Error( 'invalid_value', __( 'Invalid value for background size.' ) ); } } elseif ( 'background_image' === $setting->id || 'background_image_thumb' === $setting->id ) { - $value = empty( $value ) ? '' : esc_url_raw( $value ); + $value = empty( $value ) ? '' : sanitize_url( $value ); } else { return new WP_Error( 'unrecognized_setting', __( 'Unrecognized background setting.' ) ); } @@ -6079,7 +6079,7 @@ final class WP_Customize_Manager { * @return mixed */ public function _validate_external_header_video( $validity, $value ) { - $video = esc_url_raw( $value ); + $video = sanitize_url( $value ); if ( $video ) { if ( ! preg_match( '#^https?://(?:www\.)?(?:youtube\.com/watch|youtu\.be/)#', $video ) ) { $validity->add( 'invalid_url', __( 'Please enter a valid YouTube URL.' ) ); @@ -6097,7 +6097,7 @@ final class WP_Customize_Manager { * @return string Sanitized URL. */ public function _sanitize_external_header_video( $value ) { - return esc_url_raw( trim( $value ) ); + return sanitize_url( trim( $value ) ); } /** diff --git a/wp-includes/class-wp-theme.php b/wp-includes/class-wp-theme.php index c2398fb4eb..2e313c4c3b 100644 --- a/wp-includes/class-wp-theme.php +++ b/wp-includes/class-wp-theme.php @@ -888,7 +888,7 @@ final class WP_Theme implements ArrayAccess { break; case 'ThemeURI': case 'AuthorURI': - $value = esc_url_raw( $value ); + $value = sanitize_url( $value ); break; case 'Tags': $value = array_filter( array_map( 'trim', explode( ',', strip_tags( $value ) ) ) ); diff --git a/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php b/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php index 8e35e32238..b0e3ae4a5e 100644 --- a/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php +++ b/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php @@ -726,7 +726,7 @@ class WP_Customize_Nav_Menu_Item_Setting extends WP_Customize_Setting { $menu_item_value['description'] = wp_unslash( apply_filters( 'content_save_pre', wp_slash( $menu_item_value['description'] ) ) ); if ( '' !== $menu_item_value['url'] ) { - $menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] ); + $menu_item_value['url'] = sanitize_url( $menu_item_value['url'] ); if ( '' === $menu_item_value['url'] ) { return new WP_Error( 'invalid_url', __( 'Invalid URL.' ) ); // Fail sanitization if URL is invalid. } diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php index 391796517c..25d98ede38 100644 --- a/wp-includes/default-filters.php +++ b/wp-includes/default-filters.php @@ -72,7 +72,7 @@ foreach ( array( 'pre_post_guid', ) as $filter ) { add_filter( $filter, 'wp_strip_all_tags' ); - add_filter( $filter, 'esc_url_raw' ); + add_filter( $filter, 'sanitize_url' ); add_filter( $filter, 'wp_filter_kses' ); } diff --git a/wp-includes/deprecated.php b/wp-includes/deprecated.php index ec4c4678f5..ff6ce82497 100644 --- a/wp-includes/deprecated.php +++ b/wp-includes/deprecated.php @@ -2041,7 +2041,7 @@ function get_link( $bookmark_id, $output = OBJECT, $filter = 'raw' ) { */ function clean_url( $url, $protocols = null, $context = 'display' ) { if ( $context == 'db' ) - _deprecated_function( 'clean_url( $context = \'db\' )', '3.0.0', 'esc_url_raw()' ); + _deprecated_function( 'clean_url( $context = \'db\' )', '3.0.0', 'sanitize_url()' ); else _deprecated_function( __FUNCTION__, '3.0.0', 'esc_url()' ); return esc_url( $url, $protocols, $context ); diff --git a/wp-includes/embed.php b/wp-includes/embed.php index bc0806e1e2..f894578ad8 100644 --- a/wp-includes/embed.php +++ b/wp-includes/embed.php @@ -426,7 +426,7 @@ function get_post_embed_url( $post = null ) { * @param string $embed_url The post embed URL. * @param WP_Post $post The corresponding post object. */ - return esc_url_raw( apply_filters( 'post_embed_url', $embed_url, $post ) ); + return sanitize_url( apply_filters( 'post_embed_url', $embed_url, $post ) ); } /** diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index b8701c5822..3b977f4f4e 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -4354,7 +4354,7 @@ function esc_sql( $data ) { * @param string $url The URL to be cleaned. * @param string[] $protocols Optional. An array of acceptable protocols. * Defaults to return value of wp_allowed_protocols(). - * @param string $_context Private. Use esc_url_raw() for database usage. + * @param string $_context Private. Use sanitize_url() for database usage. * @return string The cleaned URL after the {@see 'clean_url'} filter is applied. * An empty string is returned if `$url` specifies a protocol other than * those in `$protocols`, or if `$url` contains an empty string. @@ -4830,7 +4830,7 @@ function sanitize_option( $option, $value ) { case 'ping_sites': $value = explode( "\n", $value ); $value = array_filter( array_map( 'trim', $value ) ); - $value = array_filter( array_map( 'esc_url_raw', $value ) ); + $value = array_filter( array_map( 'sanitize_url', $value ) ); $value = implode( "\n", $value ); break; @@ -4844,7 +4844,7 @@ function sanitize_option( $option, $value ) { $error = $value->get_error_message(); } else { if ( preg_match( '#http(s?)://(.+)#i', $value ) ) { - $value = esc_url_raw( $value ); + $value = sanitize_url( $value ); } else { $error = __( 'The WordPress address you entered did not appear to be a valid URL. Please enter a valid URL.' ); } @@ -4857,7 +4857,7 @@ function sanitize_option( $option, $value ) { $error = $value->get_error_message(); } else { if ( preg_match( '#http(s?)://(.+)#i', $value ) ) { - $value = esc_url_raw( $value ); + $value = sanitize_url( $value ); } else { $error = __( 'The Site address you entered did not appear to be a valid URL. Please enter a valid URL.' ); } @@ -4929,7 +4929,7 @@ function sanitize_option( $option, $value ) { if ( is_wp_error( $value ) ) { $error = $value->get_error_message(); } else { - $value = esc_url_raw( $value ); + $value = sanitize_url( $value ); $value = str_replace( 'http://', '', $value ); } @@ -5580,7 +5580,7 @@ function sanitize_trackback_urls( $to_ping ) { unset( $urls_to_ping[ $k ] ); } } - $urls_to_ping = array_map( 'esc_url_raw', $urls_to_ping ); + $urls_to_ping = array_map( 'sanitize_url', $urls_to_ping ); $urls_to_ping = implode( "\n", $urls_to_ping ); /** * Filters a list of trackback URLs following sanitization. @@ -5649,7 +5649,7 @@ function get_url_in_content( $content ) { } if ( preg_match( '/]*?href=([\'"])(.+?)\1/is', $content, $matches ) ) { - return esc_url_raw( $matches[2] ); + return sanitize_url( $matches[2] ); } return false; diff --git a/wp-includes/general-template.php b/wp-includes/general-template.php index d2ad7373f2..6ab4f4dd39 100644 --- a/wp-includes/general-template.php +++ b/wp-includes/general-template.php @@ -4759,10 +4759,10 @@ function get_the_generator( $type = '' ) { $gen = 'WordPress'; break; case 'rss2': - $gen = '' . esc_url_raw( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . ''; + $gen = '' . sanitize_url( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . ''; break; case 'rdf': - $gen = ''; + $gen = ''; break; case 'comment': $gen = ''; diff --git a/wp-includes/link-template.php b/wp-includes/link-template.php index dbebd3bded..fc1a89fd29 100644 --- a/wp-includes/link-template.php +++ b/wp-includes/link-template.php @@ -2343,7 +2343,7 @@ function adjacent_post_link( $format, $link, $in_same_term = false, $excluded_te * * @param int $pagenum Optional. Page number. Default 1. * @param bool $escape Optional. Whether to escape the URL for display, with esc_url(). Defaults to true. - * Otherwise, prepares the URL with esc_url_raw(). + * Otherwise, prepares the URL with sanitize_url(). * @return string The link URL for the given page number. */ function get_pagenum_link( $pagenum = 1, $escape = true ) { @@ -2410,7 +2410,7 @@ function get_pagenum_link( $pagenum = 1, $escape = true ) { if ( $escape ) { return esc_url( $result ); } else { - return esc_url_raw( $result ); + return sanitize_url( $result ); } } diff --git a/wp-includes/ms-deprecated.php b/wp-includes/ms-deprecated.php index c06f35ddc5..9085545bdd 100644 --- a/wp-includes/ms-deprecated.php +++ b/wp-includes/ms-deprecated.php @@ -378,7 +378,7 @@ function get_blogaddress_by_domain( $domain, $path ) { $url = 'http://' . $domain . $path; } } - return esc_url_raw( $url ); + return sanitize_url( $url ); } /** diff --git a/wp-includes/nav-menu.php b/wp-includes/nav-menu.php index 24a7fc66ef..63969287d7 100644 --- a/wp-includes/nav-menu.php +++ b/wp-includes/nav-menu.php @@ -573,7 +573,7 @@ function wp_update_nav_menu_item( $menu_id = 0, $menu_item_db_id = 0, $menu_item $args['menu-item-xfn'] = implode( ' ', array_map( 'sanitize_html_class', explode( ' ', $args['menu-item-xfn'] ) ) ); update_post_meta( $menu_item_db_id, '_menu_item_classes', $args['menu-item-classes'] ); update_post_meta( $menu_item_db_id, '_menu_item_xfn', $args['menu-item-xfn'] ); - update_post_meta( $menu_item_db_id, '_menu_item_url', esc_url_raw( $args['menu-item-url'] ) ); + update_post_meta( $menu_item_db_id, '_menu_item_url', sanitize_url( $args['menu-item-url'] ) ); if ( 0 == $menu_id ) { update_post_meta( $menu_item_db_id, '_menu_item_orphaned', (string) time() ); diff --git a/wp-includes/rest-api.php b/wp-includes/rest-api.php index f05142baac..81156911c3 100644 --- a/wp-includes/rest-api.php +++ b/wp-includes/rest-api.php @@ -710,7 +710,7 @@ function rest_send_cors_headers( $value ) { if ( $origin ) { // Requests from file:// and data: URLs send "Origin: null". if ( 'null' !== $origin ) { - $origin = esc_url_raw( $origin ); + $origin = sanitize_url( $origin ); } header( 'Access-Control-Allow-Origin: ' . $origin ); header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' ); @@ -993,12 +993,12 @@ function rest_output_link_header() { return; } - header( sprintf( 'Link: <%s>; rel="https://api.w.org/"', esc_url_raw( $api_root ) ), false ); + header( sprintf( 'Link: <%s>; rel="https://api.w.org/"', sanitize_url( $api_root ) ), false ); $resource = rest_get_queried_resource_route(); if ( $resource ) { - header( sprintf( 'Link: <%s>; rel="alternate"; type="application/json"', esc_url_raw( rest_url( $resource ) ) ), false ); + header( sprintf( 'Link: <%s>; rel="alternate"; type="application/json"', sanitize_url( rest_url( $resource ) ) ), false ); } } @@ -2795,7 +2795,7 @@ function rest_sanitize_value_from_schema( $value, $args, $param = '' ) { return sanitize_text_field( $value ); case 'uri': - return esc_url_raw( $value ); + return sanitize_url( $value ); case 'ip': return sanitize_text_field( $value ); diff --git a/wp-includes/rest-api/class-wp-rest-server.php b/wp-includes/rest-api/class-wp-rest-server.php index c38914c7bf..19b362a4ca 100644 --- a/wp-includes/rest-api/class-wp-rest-server.php +++ b/wp-includes/rest-api/class-wp-rest-server.php @@ -284,7 +284,7 @@ class WP_REST_Server { $api_root = get_rest_url(); if ( ! empty( $api_root ) ) { - $this->send_header( 'Link', '<' . esc_url_raw( $api_root ) . '>; rel="https://api.w.org/"' ); + $this->send_header( 'Link', '<' . sanitize_url( $api_root ) . '>; rel="https://api.w.org/"' ); } /* diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php index f25be71bef..825833505d 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php @@ -860,7 +860,7 @@ class WP_REST_Menu_Items_Controller extends WP_REST_Posts_Controller { return true; } - if ( esc_url_raw( $url ) ) { + if ( sanitize_url( $url ) ) { return true; } diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-url-details-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-url-details-controller.php index b7d58faefa..c9ac6675d0 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-url-details-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-url-details-controller.php @@ -45,7 +45,7 @@ class WP_REST_URL_Details_Controller extends WP_REST_Controller { 'required' => true, 'description' => __( 'The URL to process.' ), 'validate_callback' => 'wp_http_validate_url', - 'sanitize_callback' => 'esc_url_raw', + 'sanitize_callback' => 'sanitize_url', 'type' => 'string', 'format' => 'uri', ), diff --git a/wp-includes/script-loader.php b/wp-includes/script-loader.php index ae68e688f8..61e8a1d210 100644 --- a/wp-includes/script-loader.php +++ b/wp-includes/script-loader.php @@ -337,7 +337,7 @@ function wp_default_packages_inline_scripts( $scripts ) { 'wp-api-fetch', sprintf( 'wp.apiFetch.use( wp.apiFetch.createRootURLMiddleware( "%s" ) );', - esc_url_raw( get_rest_url() ) + sanitize_url( get_rest_url() ) ), 'after' ); @@ -750,7 +750,7 @@ function wp_default_scripts( $scripts ) { 'wp-api-request', 'wpApiSettings', array( - 'root' => esc_url_raw( get_rest_url() ), + 'root' => sanitize_url( get_rest_url() ), 'nonce' => wp_installing() ? '' : wp_create_nonce( 'wp_rest' ), 'versionString' => 'wp/v2/', ) diff --git a/wp-includes/theme.php b/wp-includes/theme.php index 55e2d13789..2e7e1dbbb8 100644 --- a/wp-includes/theme.php +++ b/wp-includes/theme.php @@ -1179,7 +1179,7 @@ function get_header_image() { $url = get_random_header_image(); } - return esc_url_raw( set_url_scheme( $url ) ); + return sanitize_url( set_url_scheme( $url ) ); } /** @@ -1428,7 +1428,7 @@ function get_uploaded_header_images() { } foreach ( (array) $headers as $header ) { - $url = esc_url_raw( wp_get_attachment_url( $header->ID ) ); + $url = sanitize_url( wp_get_attachment_url( $header->ID ) ); $header_data = wp_get_attachment_metadata( $header->ID ); $header_index = $header->ID; @@ -1589,7 +1589,7 @@ function get_header_video_url() { return false; } - return esc_url_raw( set_url_scheme( $url ) ); + return sanitize_url( set_url_scheme( $url ) ); } /** @@ -1806,7 +1806,7 @@ function _custom_background_cb() { $style = $color ? "background-color: #$color;" : ''; if ( $background ) { - $image = ' background-image: url("' . esc_url_raw( $background ) . '");'; + $image = ' background-image: url("' . sanitize_url( $background ) . '");'; // Background Position. $position_x = get_theme_mod( 'background_position_x', get_theme_support( 'custom-background', 'default-position-x' ) ); @@ -2146,7 +2146,7 @@ function get_editor_stylesheets() { // Support externally referenced styles (like, say, fonts). foreach ( $editor_styles as $key => $file ) { if ( preg_match( '~^(https?:)?//~', $file ) ) { - $stylesheets[] = esc_url_raw( $file ); + $stylesheets[] = sanitize_url( $file ); unset( $editor_styles[ $key ] ); } } diff --git a/wp-includes/update.php b/wp-includes/update.php index 1c9a7cbeb6..04c8aa3ec2 100644 --- a/wp-includes/update.php +++ b/wp-includes/update.php @@ -430,7 +430,7 @@ function wp_update_plugins( $extra_stats = array() ) { continue; } - $hostname = wp_parse_url( esc_url_raw( $plugin_data['UpdateURI'] ), PHP_URL_HOST ); + $hostname = wp_parse_url( sanitize_url( $plugin_data['UpdateURI'] ), PHP_URL_HOST ); /** * Filters the update response for a given plugin hostname. diff --git a/wp-includes/user.php b/wp-includes/user.php index 0511a8a890..b36619ac9a 100644 --- a/wp-includes/user.php +++ b/wp-includes/user.php @@ -4158,8 +4158,8 @@ All at ###SITENAME### $content = str_replace( '###SITENAME###', $email_data['sitename'], $content ); $content = str_replace( '###USER_EMAIL###', $email_data['user_email'], $content ); $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content ); - $content = str_replace( '###MANAGE_URL###', esc_url_raw( $email_data['manage_url'] ), $content ); - $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content ); + $content = str_replace( '###MANAGE_URL###', sanitize_url( $email_data['manage_url'] ), $content ); + $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content ); $headers = ''; @@ -4399,7 +4399,7 @@ All at ###SITENAME### $content = str_replace( '###SITENAME###', $email_data['sitename'], $content ); $content = str_replace( '###PRIVACY_POLICY_URL###', $email_data['privacy_policy_url'], $content ); - $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content ); + $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content ); $headers = ''; @@ -4720,10 +4720,10 @@ All at ###SITENAME### $content = apply_filters( 'user_request_action_email_content', $content, $email_data ); $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content ); - $content = str_replace( '###CONFIRM_URL###', esc_url_raw( $email_data['confirm_url'] ), $content ); + $content = str_replace( '###CONFIRM_URL###', sanitize_url( $email_data['confirm_url'] ), $content ); $content = str_replace( '###EMAIL###', $email_data['email'], $content ); $content = str_replace( '###SITENAME###', $email_data['sitename'], $content ); - $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content ); + $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content ); $headers = ''; diff --git a/wp-includes/version.php b/wp-includes/version.php index 567772fe70..db6c3a5220 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.1-alpha-53454'; +$wp_version = '6.1-alpha-53455'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. diff --git a/wp-includes/widgets.php b/wp-includes/widgets.php index 4aaa6112b2..639c59afa1 100644 --- a/wp-includes/widgets.php +++ b/wp-includes/widgets.php @@ -1767,7 +1767,7 @@ function wp_widget_rss_process( $widget_rss, $check_feed = true ) { if ( $items < 1 || 20 < $items ) { $items = 10; } - $url = esc_url_raw( strip_tags( $widget_rss['url'] ) ); + $url = sanitize_url( strip_tags( $widget_rss['url'] ) ); $title = isset( $widget_rss['title'] ) ? trim( strip_tags( $widget_rss['title'] ) ) : ''; $show_summary = isset( $widget_rss['show_summary'] ) ? (int) $widget_rss['show_summary'] : 0; $show_author = isset( $widget_rss['show_author'] ) ? (int) $widget_rss['show_author'] : 0; diff --git a/wp-login.php b/wp-login.php index f744c684db..c805921727 100644 --- a/wp-login.php +++ b/wp-login.php @@ -360,7 +360,7 @@ function login_footer( $input_id = '' ) { - +