[wp-trac] Re: [WordPress Trac] #8767: Refactored filters to avoid
potential XSS attacks
WordPress Trac
wp-trac at lists.automattic.com
Wed Dec 31 15:50:44 GMT 2008
#8767: Refactored filters to avoid potential XSS attacks
-------------------------------------------+--------------------------------
Reporter: sambauers | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.7.1
Component: Security | Version: 2.7
Severity: major | Resolution:
Keywords: has-patch, needs-testing, XSS |
-------------------------------------------+--------------------------------
Comment (by miqrogroove):
{{{
+ if ( 'single' === $quote_style ) {
+ $string = str_replace( '"', '"',
$string );
+ }
+ }
+ $string = htmlspecialchars( $string, $_quote_style,
$charset );
+ }
}}}
This part of your patch would convert every double quote in $string to
" which could look pretty ugly in form fields.
Also it seems unrealistic to propose such drastic changes for 2.7.1 given
its due date is less than two weeks.
--
Ticket URL: <http://trac.wordpress.org/ticket/8767#comment:1>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list