From 43b55b450972af58a10f1c1c0b1bdab51d467f67 Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Tue, 10 Aug 2021 19:43:33 +0000 Subject: [PATCH] General: Restore (un-deprecate) the `sanitize_url()` function. A general security rule is "Sanitize when you save, escape when you echo", and for the most part WordPress has well-named functions like `sanitize_email()` and others, with `esc_url_raw()` being a single exception that does not follow the naming. This commit restores the previously deprecated `sanitize_url()` function as a valid alias of `esc_url_raw()`. This better aligns with the naming with other `sanitize_*()` functions: * `sanitize_bookmark()` * `sanitize_bookmark_field()` * `sanitize_category()` * `sanitize_category_field()` * `sanitize_comment_cookies()` * `sanitize_email()` * `sanitize_file_name()` * `sanitize_hex_color()` * `sanitize_hex_color_no_hash()` * `sanitize_html_class()` * `sanitize_key()` * `sanitize_meta()` * `sanitize_mime_type()` * `sanitize_option()` * `sanitize_post()` * `sanitize_post_field()` * `sanitize_sql_orderby()` * `sanitize_term()` * `sanitize_term_field()` * `sanitize_text_field()` * `sanitize_textarea_field()` * `sanitize_title()` * `sanitize_title_for_query()` * `sanitize_title_with_dashes()` * `sanitize_trackback_urls()` * `sanitize_user()` * `sanitize_user_field()` Follow-up to [11383], [13096]. Props Ipstenu, aadilali. Fixes #53876. git-svn-id: https://develop.svn.wordpress.org/trunk@51597 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/deprecated.php | 16 ---------------- src/wp-includes/formatting.php | 22 +++++++++++++++++++++- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/src/wp-includes/deprecated.php b/src/wp-includes/deprecated.php index 43ced1429e..dcce1c1cea 100644 --- a/src/wp-includes/deprecated.php +++ b/src/wp-includes/deprecated.php @@ -2023,22 +2023,6 @@ function get_link( $bookmark_id, $output = OBJECT, $filter = 'raw' ) { return get_bookmark($bookmark_id, $output, $filter); } -/** - * Performs esc_url() for database or redirect usage. - * - * @since 2.3.1 - * @deprecated 2.8.0 Use esc_url_raw() - * @see esc_url_raw() - * - * @param string $url The URL to be cleaned. - * @param array $protocols An array of acceptable protocols. - * @return string The cleaned URL. - */ -function sanitize_url( $url, $protocols = null ) { - _deprecated_function( __FUNCTION__, '2.8.0', 'esc_url_raw()' ); - return esc_url_raw( $url, $protocols ); -} - /** * Checks and cleans a URL. * diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php index 05a535bab3..460c29e5a3 100644 --- a/src/wp-includes/formatting.php +++ b/src/wp-includes/formatting.php @@ -4404,7 +4404,7 @@ function esc_url( $url, $protocols = null, $_context = 'display' ) { } /** - * Performs esc_url() for database usage. + * Performs esc_url() for database or redirect usage. * * @since 2.8.0 * @@ -4419,6 +4419,26 @@ function esc_url_raw( $url, $protocols = null ) { return esc_url( $url, $protocols, 'db' ); } +/** + * Performs esc_url() for database or redirect usage. + * + * This function is an alias for esc_url_raw(). + * + * @since 2.3.1 + * @since 2.8.0 Deprecated in favor of esc_url_raw(). + * @since 5.9.0 Restored (un-deprecated). + * + * @see esc_url_raw() + * + * @param string $url The URL to be cleaned. + * @param string[] $protocols Optional. An array of acceptable protocols. + * Defaults to return value of wp_allowed_protocols(). + * @return string The cleaned URL after esc_url() is run with the 'db' context. + */ +function sanitize_url( $url, $protocols = null ) { + return esc_url_raw( $url, $protocols ); +} + /** * Convert entities, while preserving already-encoded entities. *