[wp-hackers] Re: 2.0.10 and 2.1.3 Release Candidates

Ryan Boren ryan at boren.nu
Wed Mar 21 22:39:56 GMT 2007


On 3/17/07, Ryan Boren <ryan at boren.nu> wrote:
> We've run across another issue:
>
> http://trac.wordpress.org/ticket/3986
>
> Basically, our attribute_escape() is not sufficient to protect content
> that goes into href or src.  IE7, for one, will still interpret the
> escaped content.  Mark and I just ran through the code and changed
> href and src content to use clean_url() instead of attribute_escape().
>  These changes are committed to trunk and the 2.1 branch. 2.0 is in
> the works.  Please review and test.  After we shake out any obvious
> screwups we will package RC3 for wider testing.

We've fixed up a few bugs introduced by clean_url(), and I just fixed
a bug where we weren't properly checking the publish caps when editing
posts via XMLRPC.  We need to test XMLRPC editing and posting for both
the blogger and MW APIs, and we still need testing and feedback on the
previous round of changes.  Click around the admin to make sure
clean_url hasn't broken any links.  The broken links in the uploader
and in the edit users page should be fixed now, but other broken links
may still be lurking.

2.0 needs some auditing love.  It does have nearly as many calls to
attribute_escape() and clean_url() as 2.1 and trunk do.  If anyone has
time to help with a file by file audit, please dive in.  Compare each
file in 2.0 versus their 2.1 counterparts and identify missing
sanitization.

At this point we're kind of back to beta status, but if we can get
some auditing and testing done today and tomorrow we can put out RC3.

Ryan


More information about the wp-hackers mailing list