[wp-trac] [WordPress Trac] #53998: Use network_home_url() instead of $_SERVER['HTTP_HOST'] for added safety.
WordPress Trac
noreply at wordpress.org
Tue Aug 24 23:29:09 UTC 2021
#53998: Use network_home_url() instead of $_SERVER['HTTP_HOST'] for added safety.
----------------------------------------------+----------------------------
Reporter: wp_kc | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Administration | Version: trunk
Severity: normal | Keywords: needs-design-
Focuses: administration, coding-standards | feedback
----------------------------------------------+----------------------------
Would it not be safer from XSS if uses of **$_SERVER[''HTTP_HOST'']** were
replaced with **network_home_url()**? It looks to me like
**network_home_url()** reads the server host name from the site settings
instead of relying on a possibly manipulated **$_SERVER[''HTTP_HOST'']**
value.
For example, I came across this code in /wp-admin/includes/class-wp-list-
table.php...
{{{#!php
<?php
/**
* Displays the pagination.
*
* @since 3.1.0
*
* @param string $which
*/
protected function pagination( $which ) {
...
$current_url = set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] .
$_SERVER['REQUEST_URI'] );
...
}
}}}
Wouldn't this be safer if it were re-written as...
{{{#!php
<?php
/**
* Displays the pagination.
*
* @since 3.1.0
*
* @param string $which
*/
protected function pagination( $which ) {
...
$current_url = network_home_url( $_SERVER['REQUEST_URI'] );
...
}
}}}
A search through the WP source code shows **$_SERVER[''HTTP_HOST'']** is
used 27 times across 15 files.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53998>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list