[wp-trac] [WordPress Trac] #39865: Escaping functions have filters that allow them to be bypassed
WordPress Trac
noreply at wordpress.org
Fri Feb 17 14:16:06 UTC 2017
#39865: Escaping functions have filters that allow them to be bypassed
-------------------------------+------------------------------
Reporter: welcher | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Formatting | Version: trunk
Severity: normal | Resolution:
Keywords: 2nd-opinion close | Focuses:
-------------------------------+------------------------------
Comment (by welcher):
Replying to [comment:1 dd32]:
> I really feel this is by-design and should NOT be changed. We shouldn't
pretend that WordPress operates in a clean sandboxed mode where code can
only change what it is expected to.
>
> Everything is filterable in WordPress, using filters within escaping
functions allows for enhancing escaping functions where needed, but they
also make it easier to selectively undo it for certain edge-cases when
needed - knowing the input text is required there. If people need to use
the parameter, they're going to use it even if deprecated, otherwise the
only option would be a hacky workaround.
While I agree with the concept of filtering all the things, in this case,
I feel that we're compromising site security for that ideal. If there is a
use case where some needs to selectively undo the escaping, then perhaps
not using the function is a better choice than filtering it away. Is there
a use-case for this in core?
>
> If malicious code wanted to output non-escaped test in a location where
`esc_html()` was used, there'd be numerous ways it could achieve it - the
simplest would be to output the content upon one of the many filters which
is probably called within what is going into `esc_html()`.
I cannot find any other filters being called in the internals of
`esc_html()` but I see your point.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39865#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list