Petr "Pasky" Baudis wrote: >>> I have also made esc_param() escape [?=&;]. Not escaping [&;] was downright >>> buggy and [?=] just feels better escaped. ;-) YMMV. > ..snip.. >> I'd rather have new esc_param() or esc_param_value() quote like escape >> subroutine from CGI::Util, with the esception of _not_ escaping '/' >> (it makes funny bookmark, and lot less readable query string), and rename >> current esc_param() to esc_query_string() or esc_params(). > > Huh, well, what's the point with the rename and why not keep it as it is > with just removing the four characters above? Escaped stuff looks ugly > in a URL. ;-) There are few places where we escape whole URL (so I'd prefer esc_url() for current implementation): esc_param($home_link) and soon esc_param($githelp_url) (and _not_ esc_html($githelp_url)). And those URLs can contain query strings, so we cannot escape '?', ';' and '&', '=' there. Before introduction of href() subroutine we escaped using esc_param the whole query string, hence esc_param did not escaped [?=&;]. -- Jakub Narebski Poland - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html