[wp-trac] [WordPress Trac] #12416: *_option(), *_transient() and *_meta() functions should all expect unslashed data.
WordPress Trac
wp-trac at lists.automattic.com
Sat Feb 27 22:19:47 UTC 2010
#12416: *_option(), *_transient() and *_meta() functions should all expect
unslashed data.
-------------------------------+--------------------------------------------
Reporter: Denis-de-Bernardy | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Security | Version: 3.0
Severity: blocker | Keywords:
-------------------------------+--------------------------------------------
Comment(by Denis-de-Bernardy):
Imo, we should expect unslashed input absolutely everywhere, even if it
means introducing a few backwards compat issues in plugins from authors
who know better.
We should also release WP 2.9.3 before SQL injection related hacks are all
over the place. The number of potential loopholes related to this is too
large for us to "wait for a worm to creep up". Especially if you consider
that few plugin authors know that *_meta() expects slashed input. I take
it that even fewer are aware that *_option() expects inconsistently
slashed data.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12416#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list