[wp-hackers] Re: 2.0.10 and 2.1.3 Release Candidates

Ryan Boren ryan at boren.nu
Sat Mar 17 08:58:54 GMT 2007

On 3/16/07, Ryan Boren <ryan at boren.nu> wrote:
> RC2 for both 2.0.10 and 2.1.3 is out.  The following bugs are fixed:
> http://trac.wordpress.org/ticket/3979
> http://trac.wordpress.org/ticket/3981
> Also, some more attribute_escapes were added to a few places.
> http://trac.wordpress.org/changeset/5046
> http://trac.wordpress.org/changeset/5050

We've run across another issue:


Basically, our attribute_escape() is not sufficient to protect content
that goes into href or src.  IE7, for one, will still interpret the
escaped content.  Mark and I just ran through the code and changed
href and src content to use clean_url() instead of attribute_escape().
 These changes are committed to trunk and the 2.1 branch. 2.0 is in
the works.  Please review and test.  After we shake out any obvious
screwups we will package RC3 for wider testing.

When you review the code, keep in mind how our various sanitizer
functions should be used.  js_escape() is used to sanitize JS code
that goes into onclick, etc.  clean_url() sanitizes content that goes
into an href, src, or redirect.  attribute_escape() escapes content
going into an attribute.  If you want to do some XSS testing, look
over the XSS cheat sheet.



More information about the wp-hackers mailing list