[wp-hackers] Re: [wp-svn] [3939] trunk/wp-includes/pluggable.php:
Allow % so entities such as slashes don't break.
Sam Angove
sam at rephrase.net
Fri Jun 30 03:22:10 GMT 2006
On 6/30/06, Matt Mullenweg <m at mullenweg.com> wrote:
>
> > + $strip = array('%0d', '%0a');
>
> Is this a comprehensive list of dangerous entities that can be encoded?
> Might be best to take a whitelist approach here instead for a set of
> encoded entities or a fixed range.
Is it even necessary to strip those? Aren't they only dangerous (for
HTTP response splitting, etc.) if they're urldecoded?
More information about the wp-hackers
mailing list