[wp-trac] [WordPress Trac] #34631: Extra compat for mbstring: mb_strpos()
WordPress Trac
noreply at wordpress.org
Thu Jul 25 19:49:10 UTC 2024
#34631: Extra compat for mbstring: mb_strpos()
-------------------------------------------------+-------------------------
Reporter: Cybr | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Charset | Version: 4.4
Severity: normal | Resolution:
Keywords: has-patch needs-testing close 2nd- | Focuses:
opinion |
-------------------------------------------------+-------------------------
Comment (by Cybr):
Hi @desrosj,
Thank you for sharing that information. Where can I access those numbers?
It's critical for plugin developers to know these. We cannot keep
developing in the dark or be forced to inject spyware into our user's
sites.
Still, 0.59% of [https://wordpress.org/download/counter/ 41 million]
active sites still amounts to 242,000 sites not having `mbstring` support,
many of which are subjected to
[https://wpdirectory.net/search/01J3NPGGZF0Z6WZXERJ3AJTVVW inconsistent
and inaccurate polyfills implemented by plugin authors]. Too many of these
polyfills simply fall back to `strpos()`, which can incur security issues
when one relies on it to locate XML/HTML, as some do:
[https://wpdirectory.net/search/01J3NPN78RFRDJXHP6TM1YVP3S (1)]
[https://wpdirectory.net/search/01J3NPPJ5DNBQK004EBMG3DTN7 (2)].
--
Ticket URL: <https://core.trac.wordpress.org/ticket/34631#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list