[wp-trac] Re: [WordPress Trac] #8767: Refactored filters to avoid potential XSS attacks

WordPress Trac wp-trac at lists.automattic.com
Sat Jan 3 00:49:54 GMT 2009


#8767: Refactored filters to avoid potential XSS attacks
-------------------------------------------+--------------------------------
 Reporter:  sambauers                      |        Owner:  ryan 
     Type:  defect (bug)                   |       Status:  new  
 Priority:  high                           |    Milestone:  2.7.1
Component:  Security                       |      Version:  2.7  
 Severity:  major                          |   Resolution:       
 Keywords:  has-patch, needs-testing, XSS  |  
-------------------------------------------+--------------------------------
Comment (by sambauers):

 Replying to [comment:3 miqrogroove]:
 > I'm also concerned about the return ''; statements.  This is not typical
 of UTF-8 sanitizers.

 If wp_check_invalid_utf8() encounters bad UTF8 the default behaviour is to
 return an empty string. It can also attempt to strip the bad chars if
 desired, but the default is more secure. Bad UTF8 chars in a UTF8 poor
 browser (like IE6) can do very unpredictable things, so blanking the
 string is the best approach.

 In that sense it is less like a sanitiser and more like a validator.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/8767#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list