[wp-trac] Re: [WordPress Trac] #8767: Refactored filters to avoid
potential XSS attacks
WordPress Trac
wp-trac at lists.automattic.com
Mon Jan 5 14:06:07 GMT 2009
#8767: Refactored filters to avoid potential XSS attacks
-------------------------------------------+--------------------------------
Reporter: sambauers | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.7.1
Component: Security | Version: 2.7
Severity: major | Resolution:
Keywords: has-patch, needs-testing, XSS |
-------------------------------------------+--------------------------------
Comment (by link92):
Replying to [comment:13 sambauers]:
> Replying to [comment:12 link92]:
> > Also, there are plenty of copies of PHP with a PCRE that doesn't have
Unicode support enabled at all. This has been a fair issue for Habari
(which requires PHP 5.2.x), I imagine it'll be a lot worse for something
that requires PHP 4.3.0.
>
> I would think that we just need examples of how these fail so we can do
it gracefully instead. I doubt we would build alternatives for them
though.
Off the top of my head, any PCRE just silently fails to match anything,
which without iconv would make this patch a huge void hole.
--
Ticket URL: <http://trac.wordpress.org/ticket/8767#comment:14>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list