[wp-hackers] Re: [wp-svn] [3939] trunk/wp-includes/pluggable.php:
Allow % so entities such as slashes don't break.
Ryan Boren
ryan at boren.nu
Fri Jun 30 07:03:48 GMT 2006
Sam Angove wrote:
> On 6/30/06, Matt Mullenweg <m at mullenweg.com> wrote:
>>
>> > + $strip = array('%0d', '%0a');
>>
>> Is this a comprehensive list of dangerous entities that can be encoded?
>> Might be best to take a whitelist approach here instead for a set of
>> encoded entities or a fixed range.
>
> Is it even necessary to strip those? Aren't they only dangerous (for
> HTTP response splitting, etc.) if they're urldecoded?
Most response splitting writeups I've seen recommend stripping the CR
and LF entities.
I think we can whitelist since wp_redirect() is limited to admin URIs.
I don't think it needs to be able to handle arbitrary URLs or encoded i18n.
Ryan
More information about the wp-hackers
mailing list