Rejoice to sanitize_url()

At least once a day, someone has to explain that the only esc_ function you can use to sanitize is esc_url_raw(). This stems from what was (at the time) a logical change. The function sanitize_url() was an alias for esc_url_raw() and it’s redundant to have both.

Except …

Over the years, WordPress has evolved and improved function names to the point that we can nearly say “Use sanitize_ functions to sanitize and esc_ functions to escape” which makes life a lot easier for new users. They don’t have to remember any odd-functions-out except the wp_kses* ones.

For WordPress 5.9, I made a ticket to restore sanitize_url() and I’m delighted to be able to say that it’s back! It’s un-deprecated!

What’s the difference?

Nothing, except the name.

Can I keep using esc_url_raw()?

Yes, for now. Eventually we’d like to wean people off it, but it’s a process. No worries. If you’re using it, we won’t ding you.

Why does this matter?

Because now you (and anyone else) can look at $variable = sanitize_url( $_POST['variable_url'] ); and know “Ah, yes, this is sanitized.”

Are you only posting this because you made the change?

No. I’m posting this because I promised some of the people I made that ticket for that I would 🙂 It’s delayed because I’ve been swamped.

It’s something that changes very little for most people, but will greatly help newer developers and minimize their confusion. And that? That is a fantastic thing!

My code sniffer tells me it’s wrong, what do I do?

Tell the people who run the sniffer, but keep in mind they’re probably adding in a bunch of changes, so it may take a while 🙂 Be cognizant of the work they do and respectful of the time they give you. Helps everyone.

#core, #security