[wp-trac] Re: [WordPress Trac] #3299: clean_url() not working for non-HTTP URLS

WordPress Trac wp-trac at lists.automattic.com
Mon Jul 2 13:07:51 GMT 2007


#3299: clean_url() not working for non-HTTP URLS
-------------------------+--------------------------------------------------
 Reporter:  redclown     |        Owner:  pishmishy   
     Type:  defect       |       Status:  assigned    
 Priority:  normal       |    Milestone:  2.4 (future)
Component:  General      |      Version:  2.3         
 Severity:  normal       |   Resolution:              
 Keywords:  needs-patch  |  
-------------------------+--------------------------------------------------
Comment (by JeremyVisser):

 Replying to [comment:8 westi]:
 > -1 to current patch
 >
 > If we are to support other types of url in clean_url then they should be
 whitelisted.
 >
 > clean_url is used to sanitise things like commenter urls so we must
 ensure that things like javascript cannot be used to stop possible XSS
 attacks.

 Ooh, yeah, like {{{javascript:alert(document.cookie)}}} links.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/3299#comment:10>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list