[wp-trac] Re: [WordPress Trac] #7386: clean_url() shouldn't touch
dollar, asterisk or single quote characters
WordPress Trac
wp-trac at lists.automattic.com
Thu Aug 7 05:13:13 GMT 2008
#7386: clean_url() shouldn't touch dollar, asterisk or single quote characters
-----------------------+----------------------------------------------------
Reporter: sambauers | Owner: anonymous
Type: defect | Status: new
Priority: low | Milestone: 2.7
Component: General | Version: 2.6
Severity: minor | Resolution:
Keywords: has-patch |
-----------------------+----------------------------------------------------
Comment (by jacobsantos):
Replying to [comment:3 markjaquith]:
> That's a silly thing to require. A href attribute contained within
single quotes is valid (X)HTML.
Yes, but invalid if the url also contains a single quote. Since single
quotes are valid in URLs and therefore reasonable that they would be
displayed, then it should be assumed that any given URL can have it and
therefore that the href should always use double quotes to prevent invalid
(X)HTML and XSS attacks.
--
Ticket URL: <http://trac.wordpress.org/ticket/7386#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list