[wp-hackers] Re: [wp-svn] [3939] trunk/wp-includes/pluggable.php: Allow % so entities such as slashes don't break.

Sam Angove sam at rephrase.net
Fri Jun 30 03:22:10 GMT 2006


On 6/30/06, Matt Mullenweg <m at mullenweg.com> wrote:
>
> > +     $strip = array('%0d', '%0a');
>
> Is this a comprehensive list of dangerous entities that can be encoded?
> Might be best to take a whitelist approach here instead for a set of
> encoded entities or a fixed range.

Is it even necessary to strip those? Aren't they only dangerous (for
HTTP response splitting, etc.) if they're urldecoded?


More information about the wp-hackers mailing list