[wp-hackers] Re: [wp-svn] [3939] trunk/wp-includes/pluggable.php: Allow % so entities such as slashes don't break.

Ryan Boren ryan at boren.nu
Fri Jun 30 07:03:48 GMT 2006

Sam Angove wrote:
> On 6/30/06, Matt Mullenweg <m at mullenweg.com> wrote:
>> > +     $strip = array('%0d', '%0a');
>> Is this a comprehensive list of dangerous entities that can be encoded?
>> Might be best to take a whitelist approach here instead for a set of
>> encoded entities or a fixed range.
> Is it even necessary to strip those? Aren't they only dangerous (for
> HTTP response splitting, etc.) if they're urldecoded?

Most response splitting writeups I've seen recommend stripping the CR 
and LF entities.

I think we can whitelist since wp_redirect() is limited to admin URIs. 
I don't think it needs to be able to handle arbitrary URLs or encoded i18n.


More information about the wp-hackers mailing list