[wp-trac] Re: [WordPress Trac] #7386: clean_url() shouldn't touch dollar, asterisk or single quote characters

WordPress Trac wp-trac at lists.automattic.com
Wed Aug 6 22:26:35 GMT 2008


#7386: clean_url() shouldn't touch dollar, asterisk or single quote characters
-----------------------+----------------------------------------------------
 Reporter:  sambauers  |        Owner:  anonymous
     Type:  defect     |       Status:  new      
 Priority:  low        |    Milestone:  2.7      
Component:  General    |      Version:  2.6      
 Severity:  minor      |   Resolution:           
 Keywords:  has-patch  |  
-----------------------+----------------------------------------------------
Comment (by santosj):

 Replying to [comment:1 markjaquith]:
 > Leaving single quotes unescaped would be an XSS security vulnerability.
 I've no objection to the other characters being allowed.  Punting this to
 2.7

 Sanitizing shouldn't be done in URLs, it should be done, when the page is
 printed. I don't see how it would matter. If it needs it, then the url
 must always be contained within double quotes. That should negate the XSS
 vulnerability.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/7386#comment:2>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list