[wp-trac] [WordPress Trac] #16541: get_search_form() ignores $echo argument if searchform.php exists
WordPress Trac
wp-trac at lists.automattic.com
Fri Oct 5 06:30:48 UTC 2012
#16541: get_search_form() ignores $echo argument if searchform.php exists
------------------------------------+------------------------------
Reporter: kawauso | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Template | Version: 3.0
Severity: normal | Resolution:
Keywords: has-patch dev-feedback |
------------------------------------+------------------------------
Comment (by bitacre):
Replying to [comment:8 chipbennett]:
> Is there some performance and/or security issue with using
`file_get_contents()`, or something else that I'm missing?
Not necessarily, and `file_get_contents()` was also my first thought. It
works beautifully for pure HTML forms, but if there is any PHP involved,
it's a lot riskier.
It will (1) pass PHP code as plain text, and (2) require an `eval()` to
run that code, all form a form where a 3rd party user can directly submit
input. I can't think of a specific expliot, but it makes me nervous,
especially when an object buffer is a viable alternative.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/16541#comment:12>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list