[wp-trac] Re: [WordPress Trac] #3299: clean_url() not working for
non-HTTP URLS
WordPress Trac
wp-trac at lists.automattic.com
Mon Jul 2 13:07:51 GMT 2007
#3299: clean_url() not working for non-HTTP URLS
-------------------------+--------------------------------------------------
Reporter: redclown | Owner: pishmishy
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4 (future)
Component: General | Version: 2.3
Severity: normal | Resolution:
Keywords: needs-patch |
-------------------------+--------------------------------------------------
Comment (by JeremyVisser):
Replying to [comment:8 westi]:
> -1 to current patch
>
> If we are to support other types of url in clean_url then they should be
whitelisted.
>
> clean_url is used to sanitise things like commenter urls so we must
ensure that things like javascript cannot be used to stop possible XSS
attacks.
Ooh, yeah, like {{{javascript:alert(document.cookie)}}} links.
--
Ticket URL: <http://trac.wordpress.org/ticket/3299#comment:10>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list