[wp-hackers] add_magic_quotes() Plans for removal?
CaptainN at unFocus.com
Mon Mar 7 19:32:17 UTC 2011
On 3/7/11 10:25 AM, Peter Westwood wrote:
> As has been said in response to previous threads on this subject.
> We would love to remove this code but we can't without opening up numerous possible security issues in plugins which unfortunately rely on it.
> If you want to go through and review every plugin in the plugin repo.
> Create patches and get them accepted by the plugin authors.
> Then we can consider removing this code. Until then it is not a good idea.
> -- Peter Westwood
I made two suggestions to deal with this, including at least adding a
way for those of us who want to develop responsibly to be able to do so,
by checking the php.ini setting. WordPress is BREAKING this, and it
should be fixed (which doesn't imply it has to stop magic quoting anything).
I also suggested making it a config option to sidestep the issue of
opening up security vulnerabilities, which would be off by default. I
will not use the plugins in question, and would love to be able to
toggle this off for my own purposes, understanding the risks.
Here's another idea - some way for new plugins to call a method that
would disable this for the plugin (you can already do it manually - in
fact some are just doing it to the $_POST array - which will open that
security vulnerability - there's something to think about). You could
then call up a deprecation message for any plugin that doesn't actually
disable this (this needs more thought, but you get the idea).
It's true that changing this is problematic, but it's also problematic
to avoid changing it forever, or to even avoid coming up with a plan to
change it at some point.
More information about the wp-hackers