Customize: Properly escape URLs passed by url and return parameters.

This changeset replaces `sanitize_text_field()` with `esc_url_raw()` for URLs passed via `url` and `return` query vars. This fixes an issue where the URL `example.com/หน้าภาษาไทย` would incorrectly return `example.com//` due to improper sanitization when clicking on the Customize button through the admin bar. Props okvee, yahaly, hellofromTonya, veryard, dilip2615, amin7, swissspidy, audrasjb. Fixes #61317. Built from https://develop.svn.wordpress.org/trunk@59945 git-svn-id: http://core.svn.wordpress.org/trunk@59287 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2025-03-12 22:59:24 +01:00 · 2025-03-06 15:01:23 +00:00 · 2025-03-06 15:01:23 +00:00 · 9f477686c8
commit 9f477686c8
parent a422e1033a
2 changed files with 3 additions and 3 deletions
--- a/wp-admin/customize.php
+++ b/wp-admin/customize.php
@ -84,8 +84,8 @@ if ( $wp_customize->changeset_post_id() ) {
 	}
 }

-$url       = ! empty( $_REQUEST['url'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['url'] ) ) : '';
-$return    = ! empty( $_REQUEST['return'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['return'] ) ) : '';
+$url       = ! empty( $_REQUEST['url'] ) ? esc_url_raw( wp_unslash( $_REQUEST['url'] ) ) : '';
+$return    = ! empty( $_REQUEST['return'] ) ? esc_url_raw( wp_unslash( $_REQUEST['return'] ) ) : '';
 $autofocus = ! empty( $_REQUEST['autofocus'] ) && is_array( $_REQUEST['autofocus'] )
 	? array_map( 'sanitize_text_field', wp_unslash( $_REQUEST['autofocus'] ) )
 	: array();
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '6.8-beta1-59944';
+$wp_version = '6.8-beta1-59945';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.