Customize: Properly escape URLs passed by url and return parameters.

This changeset replaces `sanitize_text_field()` with `esc_url_raw()` for URLs passed via `url` and `return` query vars. This fixes an issue where the URL `example.com/หน้าภาษาไทย` would incorrectly return `example.com//` due to improper sanitization when clicking on the Customize button through the admin bar.

Props okvee, yahaly, hellofromTonya, veryard, dilip2615, amin7, swissspidy, audrasjb.
Fixes #61317.



git-svn-id: https://develop.svn.wordpress.org/trunk@59945 602fd350-edb4-49c9-b593-d223f7449a82

Author: audrasjb

src/wp-admin/customize.php

@@ -84,8 +84,8 @@
 	}
 }
 
-$url       = ! empty( $_REQUEST['url'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['url'] ) ) : '';
-$return    = ! empty( $_REQUEST['return'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['return'] ) ) : '';
+$url       = ! empty( $_REQUEST['url'] ) ? esc_url_raw( wp_unslash( $_REQUEST['url'] ) ) : '';
+$return    = ! empty( $_REQUEST['return'] ) ? esc_url_raw( wp_unslash( $_REQUEST['return'] ) ) : '';
 $autofocus = ! empty( $_REQUEST['autofocus'] ) && is_array( $_REQUEST['autofocus'] )
 	? array_map( 'sanitize_text_field', wp_unslash( $_REQUEST['autofocus'] ) )
 	: array();