[wp-trac] [WordPress Trac] #3243: Usermeta functions assume data to
be pre-escaped
WordPress Trac
wp-trac at lists.automattic.com
Sat Oct 14 05:43:51 GMT 2006
#3243: Usermeta functions assume data to be pre-escaped
----------------------------+-----------------------------------------------
Reporter: markjaquith | Owner: markjaquith
Type: task | Status: new
Priority: normal | Milestone: 2.2
Component: Administration | Version: 2.1
Severity: normal | Keywords:
----------------------------+-----------------------------------------------
User meta functions assume that data passed to them is already escaped (
{{{$wpdb->escape() }}}
Post meta functions assume data is not already escaped.
I think we should move to a standardized way of doing this, and I think
the standard should be to expect unescaped data.
1. It is safer.
#. Worst case scenario with assuming data to be unescaped is that it
gets double slashed
#. Worst case scenario with assuming data to be '''escaped''' is SQL
injection vulnerability
2. Post meta has been doing it this way, for a longer time, so less code
would have to change
3. It would allow code consolidation, in terms of handling
arrays/objects/strings, serialization, and escape.
4. Currently, things like First Name and Last Name are passed through
filters pre-slashed, which means that filters have to work around this.
Setting a milestone of 2.2
We can do this in trunk right after 2.1 ships, so that plugin authors will
have 4 months to adapt.
--
Ticket URL: <http://trac.wordpress.org/ticket/3243>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list