[wp-trac] Re: [WordPress Trac] #3243: Usermeta and postmeta
functions assume data to be pre-escaped
WordPress Trac
wp-trac at lists.automattic.com
Fri Jun 26 12:00:52 GMT 2009
#3243: Usermeta and postmeta functions assume data to be pre-escaped
----------------------------+-----------------------------------------------
Reporter: markjaquith | Owner: markjaquith
Type: enhancement | Status: accepted
Priority: high | Milestone: 2.9
Component: Administration | Version: 2.1
Severity: normal | Keywords: needs-patch early
----------------------------+-----------------------------------------------
Comment(by hakre):
With all my experiences in the whole codebase for the time being: I think
it is pretty much important to get things solved to have data as the data
(unescaped) and it must be escaped where applicable (IMHO only for sql-
queries).
This will clear a lot of points and remove security threats that are
currently inside the code by design. The first big point I see is the
overall handling of request variables. The next big point I see is the
faulty database escaping.
"Real" data (which means unescaped) will additionally help to handle
things straight in the future. Also there is no need to document that much
with each function, because it is just normal to have data unsecaped by
default.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/3243#comment:13>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list