From 49596ff2c17b39702ebd3f8da05911ee4765122e Mon Sep 17 00:00:00 2001 From: Andrew Nacin Date: Wed, 10 Jul 2013 13:45:22 +0000 Subject: [PATCH] Skip protocol checking in esc_url() when we are dealing with a relative URL. Prevents munging of colons in paths and query strings, when present in a protocol-relative URL. props SergeyBiryukov. fixes #21974. git-svn-id: https://develop.svn.wordpress.org/trunk@24642 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-includes/formatting.php | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index df1e490750..822f4dd337 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -2645,11 +2645,15 @@ function esc_url( $url, $protocols = null, $_context = 'display' ) { $url = str_replace( "'", ''', $url ); } - if ( ! is_array( $protocols ) ) - $protocols = wp_allowed_protocols(); - $good_protocol_url = wp_kses_bad_protocol( $url, $protocols ); - if ( strtolower( $good_protocol_url ) != strtolower( $url ) ) - return ''; + if ( '/' === $url[0] ) { + $good_protocol_url = $url; + } else { + if ( ! is_array( $protocols ) ) + $protocols = wp_allowed_protocols(); + $good_protocol_url = wp_kses_bad_protocol( $url, $protocols ); + if ( strtolower( $good_protocol_url ) != strtolower( $url ) ) + return ''; + } return apply_filters('clean_url', $good_protocol_url, $original_url, $_context); }