[wp-trac] Re: [WordPress Trac] #3243: Usermeta and postmeta functions assume data to be pre-escaped

WordPress Trac wp-trac at lists.automattic.com
Fri Jun 26 12:00:52 GMT 2009


#3243: Usermeta and postmeta functions assume data to be pre-escaped
----------------------------+-----------------------------------------------
 Reporter:  markjaquith     |       Owner:  markjaquith      
     Type:  enhancement     |      Status:  accepted         
 Priority:  high            |   Milestone:  2.9              
Component:  Administration  |     Version:  2.1              
 Severity:  normal          |    Keywords:  needs-patch early
----------------------------+-----------------------------------------------

Comment(by hakre):

 With all my experiences in the whole codebase for the time being: I think
 it is pretty much important to get things solved to have data as the data
 (unescaped) and it must be escaped where applicable (IMHO only for sql-
 queries).

 This will clear a lot of points and remove security threats that are
 currently inside the code by design. The first big point I see is the
 overall handling of request variables. The next big point I see is the
 faulty database escaping.

 "Real" data (which means unescaped) will additionally help to handle
 things straight in the future. Also there is no need to document that much
 with each function, because it is just normal to have data unsecaped by
 default.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/3243#comment:13>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list