[wp-trac] Re: [WordPress Trac] #3299: clean_url() not working for non-HTTP URLS

WordPress Trac wp-trac at lists.automattic.com
Mon Jul 2 13:07:51 GMT 2007

#3299: clean_url() not working for non-HTTP URLS
 Reporter:  redclown     |        Owner:  pishmishy   
     Type:  defect       |       Status:  assigned    
 Priority:  normal       |    Milestone:  2.4 (future)
Component:  General      |      Version:  2.3         
 Severity:  normal       |   Resolution:              
 Keywords:  needs-patch  |  
Comment (by JeremyVisser):

 Replying to [comment:8 westi]:
 > -1 to current patch
 > If we are to support other types of url in clean_url then they should be
 > clean_url is used to sanitise things like commenter urls so we must
 ensure that things like javascript cannot be used to stop possible XSS

 Ooh, yeah, like {{{javascript:alert(document.cookie)}}} links.

Ticket URL: <http://trac.wordpress.org/ticket/3299#comment:10>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list