From ce297a7227e4ccf7f785a44f45538a05b4753062 Mon Sep 17 00:00:00 2001
From: Andrew Ozz <admin@laptoptips.ca>
Date: Wed, 11 Mar 2015 23:23:25 +0000
Subject: [PATCH] PressThis: update _limit_url(), use esc_url_raw(). Fixes
 checking of urlencoded strings. See #31373. Built from
 https://develop.svn.wordpress.org/trunk@31737

git-svn-id: http://core.svn.wordpress.org/trunk@31718 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/includes/class-wp-press-this.php | 14 ++++----------
 wp-includes/version.php                   |  2 +-
 2 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/wp-admin/includes/class-wp-press-this.php b/wp-admin/includes/class-wp-press-this.php
index 240c61f2a9..4e468aab21 100644
--- a/wp-admin/includes/class-wp-press-this.php
+++ b/wp-admin/includes/class-wp-press-this.php
@@ -342,23 +342,17 @@ class WP_Press_This {
 			return '';
 		}
 
-		$url = $this->_limit_string( $url );
-
 		// HTTP 1.1 allows 8000 chars but the "de-facto" standard supported in all current browsers is 2048.
-		if ( mb_strlen( $url ) > 2048 ) {
+		if ( strlen( $url ) > 2048 ) {
 			return ''; // Return empty rather than a trunacted/invalid URL
 		}
 
-		// Only allow http(s) or protocol relative URLs.
-		if ( ! preg_match( '%^(https?:)?//%i', $url ) ) {
+		// Does it look like an URL?
+		if ( ! preg_match( '/^([!#$&-;=?-\[\]_a-z~]|%[0-9a-fA-F]{2})+$/', $url ) ) {
 			return '';
 		}
 
-		if ( strpos( $url, '"' ) !== false || strpos( $url, ' ' ) !== false ) {
-			return '';
-		}
-
-		return $url;
+		return esc_url_raw( $url, array( 'http', 'https' ) );
 	}
 
 	private function _limit_img( $src ) {
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 5850d7d6f3..d5fc162506 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.2-alpha-31736';
+$wp_version = '4.2-alpha-31737';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.