[wp-trac] [WordPress Trac] #19373: wp_insert_post() should not contain current_user_can() checks
WordPress Trac
noreply at wordpress.org
Wed Sep 25 01:51:15 UTC 2013
#19373: wp_insert_post() should not contain current_user_can() checks
---------------------------------+------------------
Reporter: alexkingorg | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 3.7
Component: Taxonomy | Version: 3.0
Severity: major | Resolution:
Keywords: has-patch 3.7-early |
---------------------------------+------------------
Comment (by nacin):
I'm ALL for fixing this. I strongly agree with the new parameter,
otherwise this would be susceptible to skipping sanitization when
`wp_insert_post()` is called with `$_POST`.
But, I'm a bit — well, very — concerned about avoiding sanitize_post() all
together. We (and possibly plugins) use the various filters there to
handle other safety measures, including sanitizing the post_type,
post_status, post_mime_type, comment_status, ping_status, and guid fields.
We're talking avoiding XSS via these fields and such. This is isn't a
situation where stuff is "sometimes" invalid (i.e. kses), but always
invalid.
That said, I think this is salvageable. Rather than skipping
sanitize_post(), let's call kses_remove_filters() before, and kses_init()
after. Thoughts?
Finally, [attachment:wp-19373-20130728-refresh.diff] seems to introduce a
new error condition. This is in light of kovshenin's feedback. But I think
it is tangental to the issue here. There is nothing actually wrong with
post_author = 0, especially for custom post types. If it doesn't work in
core, maybe it should. (I would not be surprised if you're able to find a
trac comment from me saying it shouldn't be allowed because X.)
Point is, there's no reason to change this here. Even without this patch,
it's possible to insert post_author = 0 when there is no current user.
Let's address the desire to avoid post_author = 0 in a new ticket?
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19373#comment:31>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list