From cfb4179f8798cb41d3e546d9253bfe5bcbac8e40 Mon Sep 17 00:00:00 2001
From: Andrew Nacin <nacin@git.wordpress.org>
Date: Wed, 21 Mar 2012 14:51:10 +0000
Subject: [PATCH] Sanitize Theme URI and Author URI in WP_Theme with
 esc_url_raw. Escape with esc_url on display. see #20103.

git-svn-id: https://develop.svn.wordpress.org/trunk@20233 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-includes/class-wp-theme.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/wp-includes/class-wp-theme.php b/wp-includes/class-wp-theme.php
index a4ee60906b..385d07b1d8 100644
--- a/wp-includes/class-wp-theme.php
+++ b/wp-includes/class-wp-theme.php
@@ -579,7 +579,7 @@ final class WP_Theme implements ArrayAccess {
 				break;
 			case 'ThemeURI' :
 			case 'AuthorURI' :
-				$value = esc_url( $value );
+				$value = esc_url_raw( $value );
 				break;
 			case 'Tags' :
 				$value = array_filter( array_map( 'trim', explode( ',', strip_tags( $value ) ) ) );
@@ -627,6 +627,10 @@ final class WP_Theme implements ArrayAccess {
 				}
 				$value = implode( $comma, $value );
 				break;
+			case 'ThemeURI' :
+			case 'AuthorURI' :
+				$value = esc_url( $value );
+				break;
 		}
 
 		return $value;