[wp-trac] [WordPress Trac] #19354: wp_allowed_protocols() does not allow data URI scheme

WordPress Trac noreply at wordpress.org
Sun Sep 8 17:28:10 UTC 2013

#19354: wp_allowed_protocols() does not allow data URI scheme
 Reporter:  hardy101                |       Owner:
     Type:  defect (bug)            |      Status:  closed
 Priority:  normal                  |   Milestone:
Component:  General                 |     Version:  3.2.1
 Severity:  normal                  |  Resolution:  wontfix
 Keywords:  dev-feedback has-patch  |
Changes (by duck_):

 * status:  new => closed
 * resolution:   => wontfix
 * milestone:  3.7 =>


 Replying to [comment:10 nacin]:
 > I'm not sure we can trust the contents of the `data` URI scheme. Anyone
 have any links/white papers arguing either way?

 Nope, we cannot trust data URIs.

 Backup evidence: "several pseudo-schemes exist specifically to enable
 scripting or URL-contained data rendering in the security context
 inherited from the caller" from

Ticket URL: <http://core.trac.wordpress.org/ticket/19354#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list