From a547d6fed1617b1362f31e30a96fd945dc2d9925 Mon Sep 17 00:00:00 2001
From: Aaron Jorbin <jorbin@git.wordpress.org>
Date: Fri, 3 Jul 2015 14:27:11 +0000
Subject: [PATCH] Don't strip newline in esc_url() when protocol is mailto:

The mailto protocol is a bit different than the other protocols in that new lines are something you might realistically want to include. Includes tests to make sure that http protocol urls that contain mailto: aren't affected. Tests for stripping newlines in general already exist.

Fixes #31632
Props danielbachhuber



git-svn-id: https://develop.svn.wordpress.org/trunk@33064 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/about.php                    |  2 +-
 src/wp-includes/formatting.php            |  6 +++--
 tests/phpunit/tests/formatting/EscUrl.php | 28 +++++++++++++++++++++++
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/src/wp-admin/about.php b/src/wp-admin/about.php
index 1f387eb9b1..ef81bd3714 100644
--- a/src/wp-admin/about.php
+++ b/src/wp-admin/about.php
@@ -41,7 +41,7 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
 </h2>
 
 <div class="headline-feature feature-video">
-	<embed type="application/x-shockwave-flash" src="https://v0.wordpress.com/player.swf?v=1.04" width="1000" height="560" wmode="direct" seamlesstabbing="true" allowfullscreen="true" allowscriptaccess="always" overstretch="true" flashvars="guid=e9kH4FzP&amp;isDynamicSeeking=true"></embed>
+<iframe width="560" height="315" src="https://www.youtube.com/embed/LCZ-cxfxzvk" frameborder="0" allowfullscreen></iframe>
 </div>
 
 <hr />
diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php
index bbd3e4bffc..d860784356 100644
--- a/src/wp-includes/formatting.php
+++ b/src/wp-includes/formatting.php
@@ -3159,8 +3159,10 @@ function esc_url( $url, $protocols = null, $_context = 'display' ) {
 	if ( '' == $url )
 		return $url;
 	$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url);
-	$strip = array('%0d', '%0a', '%0D', '%0A');
-	$url = _deep_replace($strip, $url);
+	if ( 0 !== stripos( $url, 'mailto:' ) ) {
+		$strip = array('%0d', '%0a', '%0D', '%0A');
+		$url = _deep_replace($strip, $url);
+	}
 	$url = str_replace(';//', '://', $url);
 	/* If the URL doesn't appear to contain a scheme, we
 	 * presume it needs http:// appended (unless a relative
diff --git a/tests/phpunit/tests/formatting/EscUrl.php b/tests/phpunit/tests/formatting/EscUrl.php
index 9b97a92df8..b4d05d3921 100644
--- a/tests/phpunit/tests/formatting/EscUrl.php
+++ b/tests/phpunit/tests/formatting/EscUrl.php
@@ -68,4 +68,32 @@ class Tests_Formatting_EscUrl extends WP_UnitTestCase {
 	function test_protocol_relative_with_colon() {
 		$this->assertEquals( '//example.com/foo?foo=abc:def', esc_url( '//example.com/foo?foo=abc:def' ) );
 	}
+
+	/**
+	 * @ticket 31632
+	 */
+	function test_mailto_with_newline() {
+		$body = <<<EOT
+Hi there,
+
+I thought you might want to sign up for this newsletter
+EOT;
+		$email_link = 'mailto:?body=' . rawurlencode( $body );
+		$email_link = esc_url( $email_link );
+		$this->assertEquals( 'mailto:?body=Hi%20there%2C%0A%0AI%20thought%20you%20might%20want%20to%20sign%20up%20for%20this%20newsletter', $email_link );
+	}
+	/**
+	 * @ticket 31632
+	 */
+	function test_mailto_in_http_url_with_newline() {
+		$body = <<<EOT
+Hi there,
+
+I thought you might want to sign up for this newsletter
+EOT;
+		$email_link = 'http://example.com/mailto:?body=' . rawurlencode( $body );
+		$email_link = esc_url( $email_link );
+		$this->assertEquals( 'http://example.com/mailto:?body=Hi%20there%2CI%20thought%20you%20might%20want%20to%20sign%20up%20for%20this%20newsletter', $email_link );
+	}
+
 }