From e4ed73e98070831f3e437a165d9bf818f0fd05f1 Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Tue, 31 May 2022 15:15:58 +0000 Subject: [PATCH] Formatting: Make `sanitize_url()` the recommended function for sanitizing a URL. A general security rule is "Sanitize when you save, escape when you echo". In WordPress 5.9, `sanitize_url()` was un-deprecated in order to better align with the naming of other sanitizing functions, while still being an alias for `esc_url_raw()`. This commit reverses the order and turns `esc_url_raw()` into a wrapper for `sanitize_url()`, making the latter the canonical function call and aiming to improve performance by reducing the number of function calls required when using the recommended technique. Follow-up to [11383], [13096], [51597]. Props benjgrolleau, peterwilsoncc, SergeyBiryukov. See #55852. git-svn-id: https://develop.svn.wordpress.org/trunk@53452 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/formatting.php | 45 +++++++++++++++++----------------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php index 06e0f26aae..b8701c5822 100644 --- a/src/wp-includes/formatting.php +++ b/src/wp-includes/formatting.php @@ -4458,9 +4458,30 @@ function esc_url( $url, $protocols = null, $_context = 'display' ) { } /** - * Performs esc_url() for database or redirect usage. + * Sanitizes a URL for database or redirect usage. + * + * This function is an alias for sanitize_url(). * * @since 2.8.0 + * @since 6.1.0 Turned into an alias for sanitize_url(). + * + * @see sanitize_url() + * + * @param string $url The URL to be cleaned. + * @param string[] $protocols Optional. An array of acceptable protocols. + * Defaults to return value of wp_allowed_protocols(). + * @return string The cleaned URL after sanitize_url() is run. + */ +function esc_url_raw( $url, $protocols = null ) { + return sanitize_url( $url, $protocols ); +} + +/** + * Sanitizes a URL for database or redirect usage. + * + * @since 2.3.1 + * @since 2.8.0 Deprecated in favor of esc_url_raw(). + * @since 5.9.0 Restored (un-deprecated). * * @see esc_url() * @@ -4469,28 +4490,8 @@ function esc_url( $url, $protocols = null, $_context = 'display' ) { * Defaults to return value of wp_allowed_protocols(). * @return string The cleaned URL after esc_url() is run with the 'db' context. */ -function esc_url_raw( $url, $protocols = null ) { - return esc_url( $url, $protocols, 'db' ); -} - -/** - * Performs esc_url() for database or redirect usage. - * - * This function is an alias for esc_url_raw(). - * - * @since 2.3.1 - * @since 2.8.0 Deprecated in favor of esc_url_raw(). - * @since 5.9.0 Restored (un-deprecated). - * - * @see esc_url_raw() - * - * @param string $url The URL to be cleaned. - * @param string[] $protocols Optional. An array of acceptable protocols. - * Defaults to return value of wp_allowed_protocols(). - * @return string The cleaned URL after esc_url() is run with the 'db' context. - */ function sanitize_url( $url, $protocols = null ) { - return esc_url_raw( $url, $protocols ); + return esc_url( $url, $protocols, 'db' ); } /**