[wp-trac] [WordPress Trac] #18395: Non-URL GUIDs are stripped on post update

WordPress Trac wp-trac at lists.automattic.com
Sat Aug 13 18:34:20 UTC 2011


#18395: Non-URL GUIDs are stripped on post update
--------------------------+------------------------------
 Reporter:  alexkingorg   |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Validation    |     Version:  3.2.1
 Severity:  normal        |  Resolution:
 Keywords:                |
--------------------------+------------------------------

Comment (by nacin):

 This is a security precaution. Unfortunately, $post->guid may be used as a
 URL, which means that it needs to be secure if so. (Otherwise it's
 possible to stuff this with a POST.) Deciding whether we can use
 esc_url_raw vs regular attribute escaping (or strip_tags) can be a
 challenge.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/18395#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list