[wp-hackers] Why WP_SITEURL and not $_SERVER['HTTP_HOST']?
Jeremy Visser
jeremy at visser.name
Tue Mar 30 11:37:26 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 30/03/10 16:45, Mike Schinkel wrote:
> Anyone know why WordPress doesn't just use $_SERVER['HTTP_HOST'] and
> instead requires setting of WP_SITEURL (and WP_HOME?)
>
> There's obviously a good reason why it wasn't used, right?
GET / HTTP/1.1
Host: " onclick="nastyCode()" dummy="
I can't really think of any practical applications for this, but using
HTTP_HOST is a possible path for arbitrary unfiltered strings to be
echoed out. My above example is a bit naïve though ? do forgive me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkux4nMACgkQvs6Qqs8TxBphBgCgvTKuGQOn3G+EnulId0+GMCLG
d/UAoJqoTa0AtxWODtKHks/fxWf/ZUB9
=vTAv
-----END PGP SIGNATURE-----
More information about the wp-hackers
mailing list