Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check for encoding values passed to add_query_arg() #461

Open
westonruter opened this issue Sep 30, 2015 · 1 comment
Open

Check for encoding values passed to add_query_arg() #461

westonruter opened this issue Sep 30, 2015 · 1 comment
Labels
Component: Extra Focus: Code analysis Sniffs to prevent common mistakes and improve code in general Type: Enhancement

Comments

@westonruter
Copy link
Member

This is something suitable both for WordPress-VIP and WordPress-Extra:

add_query_arg() is a really useful function, but it might not work as intended.
The values passed to it are not encoded meaning that passing

$m_yurl = 'admin.php?action=delete&post_id=321';
$my_url = add_query_arg( 'my_arg', 'somevalue&post_id=123', $my_url );

You would expect the url to be: admin.php?action=delete&post_id=321&somevalue%26post_id%3D123

But in fact it becomes: admin.php?action=delete&post_id=321&somevalue&post_id=123

Using rawurlencode() on the values passed to it prevents this.
https://vip.wordpress.com/documentation/encode-values-passed-to-add_query_arg/

See https://vip.wordpress.com/documentation/code-review-what-we-look-for/#encoding-values-passed-to-add_query_arg
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component: Extra Focus: Code analysis Sniffs to prevent common mistakes and improve code in general Type: Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@GaryJones @westonruter @johnbillion @jrfnl