[wp-trac] [WordPress Trac] #39865: Escaping functions have filters that allow them to be bypassed
WordPress Trac
noreply at wordpress.org
Mon Feb 13 23:46:39 UTC 2017
#39865: Escaping functions have filters that allow them to be bypassed
-------------------------------+------------------------------
Reporter: welcher | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Formatting | Version: trunk
Severity: normal | Resolution:
Keywords: 2nd-opinion close | Focuses:
-------------------------------+------------------------------
Changes (by dd32):
* keywords: => 2nd-opinion close
Comment:
I really feel this is by-design and should NOT be changed. We shouldn't
pretend that WordPress operates in a clean sandboxed mode where code can
only change what it is expected to.
Everything is filterable in WordPress, using filters within escaping
functions allows for enhancing escaping functions where needed, but they
also make it easier to selectively undo it for certain edge-cases when
needed - knowing the input text is required there. If people need to use
the parameter, they're going to use it even if deprecated, otherwise the
only option would be a hacky workaround.
If malicious code wanted to output non-escaped test in a location where
`esc_html()` was used, there'd be numerous ways it could achieve it - the
simplest would be to output the content upon one of the many filters which
is probably called within what is going into `esc_html()`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39865#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list