From ce565d2fb274dc889411c4fac625ad89d8903d95 Mon Sep 17 00:00:00 2001 From: Drew Jaynes Date: Mon, 20 Jun 2016 08:47:20 +0000 Subject: [PATCH] Docs: Clarify documentation for `wp_logout_url()` and `wp_login_url()` and corresponding hooks to highlight whether HTML-encoded or un-encoded values should be expected. The return from `wp_logout_url()` is HTML-encoded due to its value passing through `wp_nonce_url()` and thus `esc_html()`. Adversely `wp_login_url()` passes through no such escaping and therefore should not be expected to return an HTML-encoded value. Props akibjorklund for the initial patch. Fixes #34352. git-svn-id: https://develop.svn.wordpress.org/trunk@37753 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/general-template.php | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/src/wp-includes/general-template.php b/src/wp-includes/general-template.php index 99ae18b044..e418f7220a 100644 --- a/src/wp-includes/general-template.php +++ b/src/wp-includes/general-template.php @@ -289,14 +289,14 @@ function wp_loginout($redirect = '', $echo = true) { } /** - * Returns the Log Out URL. + * Retrieves the logout URL. * * Returns the URL that allows the user to log out of the site. * * @since 2.7.0 * * @param string $redirect Path to redirect to on logout. - * @return string A log out URL. + * @return string The logout URL. Note: HTML-encoded via esc_html() in wp_nonce_url(). */ function wp_logout_url($redirect = '') { $args = array( 'action' => 'logout' ); @@ -312,20 +312,21 @@ function wp_logout_url($redirect = '') { * * @since 2.8.0 * - * @param string $logout_url The Log Out URL. + * @param string $logout_url The HTML-encoded logout URL. * @param string $redirect Path to redirect to on logout. */ return apply_filters( 'logout_url', $logout_url, $redirect ); } /** - * Returns the URL that allows the user to log in to the site. + * Retrieves the login URL. * * @since 2.7.0 * - * @param string $redirect Path to redirect to on login. - * @param bool $force_reauth Whether to force reauthorization, even if a cookie is present. Default is false. - * @return string A log in URL. + * @param string $redirect Path to redirect to on log in. + * @param bool $force_reauth Whether to force reauthorization, even if a cookie is present. + * Default false. + * @return string The login URL. Not HTML-encoded. */ function wp_login_url($redirect = '', $force_reauth = false) { $login_url = site_url('wp-login.php', 'login'); @@ -342,7 +343,7 @@ function wp_login_url($redirect = '', $force_reauth = false) { * @since 2.8.0 * @since 4.2.0 The `$force_reauth` parameter was added. * - * @param string $login_url The login URL. + * @param string $login_url The login URL. Not HTML-encoded. * @param string $redirect The path to redirect to on login, if supplied. * @param bool $force_reauth Whether to force reauthorization, even if a cookie is present. */