[wp-hackers] Why WP_SITEURL and not $_SERVER['HTTP_HOST']?

Jeremy Visser jeremy at visser.name
Tue Mar 30 11:37:26 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 30/03/10 16:45, Mike Schinkel wrote:
> Anyone know why WordPress doesn't just use $_SERVER['HTTP_HOST'] and
> instead requires setting of WP_SITEURL (and WP_HOME?)
> 
> There's obviously a good reason why it wasn't used, right?

  GET / HTTP/1.1
  Host: " onclick="nastyCode()" dummy="

I can't really think of any practical applications for this, but using
HTTP_HOST is a possible path for arbitrary unfiltered strings to be
echoed out. My above example is a bit naïve though ? do forgive me.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkux4nMACgkQvs6Qqs8TxBphBgCgvTKuGQOn3G+EnulId0+GMCLG
d/UAoJqoTa0AtxWODtKHks/fxWf/ZUB9
=vTAv
-----END PGP SIGNATURE-----


More information about the wp-hackers mailing list