Automattic
Flag cases when `rawurlencode` should be used over `esc_` functions
Please provide some more context here, such as example code that should be reported, and example code that shouldn't.
Closing for lack of feedback. Can be re-opened if feedback arrives and it's still something that should be flagged.
This was meant to flag cases as follows:
<a href="mailto://?subject=Some%20subject&body=<?php echo esc_url( get_the_title( $post_ID ) ); ?>" rel="noopener"></a>
<a href="whatsapp://send?text=<?php echo esc_url( get_the_title( $post_ID ) ); ?>" rel="noopener"></a>
<a href="whatsapp://send?text=<?php esc_attr( get_the_title( $post_ID ) ); ?>
In all cases, the properly urlencoded value is expected. Thus, instead of esc_url and esc_attr, rawurlencode should be used.
Is it all query string parameter values that should be run through rawurlencode? Or just ones that might contain [^A-Za-z0-9]?
Should the whole URL then be escaped esc_url as well?
Is it all query string parameter values that should be run through rawurlencode? Or just ones that might contain [^A-Za-z0-9]?
From the VIP code review point of view, there is this strict late escaping rule. As mainly only changesets/diffs are being reviewed, we never can tell what values are being assigned to variables. It also can change over time. So, I'd say "all".
Should the whole URL then be escaped esc_url as well?
In my humble opinion, there is no point in escaping hardcoded strings, so often escaping only selected query string values is easier. For instance, in the watsapp example, using esc_url would require whitelisting it's protocol, so it's definitely easier to use rawurlencode instead of esc_url.