[wp-hackers] Why WP_SITEURL and not $_SERVER['HTTP_HOST']?
jeremy at visser.name
Tue Mar 30 11:37:26 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
On 30/03/10 16:45, Mike Schinkel wrote:
> Anyone know why WordPress doesn't just use $_SERVER['HTTP_HOST'] and
> instead requires setting of WP_SITEURL (and WP_HOME?)
> There's obviously a good reason why it wasn't used, right?
GET / HTTP/1.1
Host: " onclick="nastyCode()" dummy="
I can't really think of any practical applications for this, but using
HTTP_HOST is a possible path for arbitrary unfiltered strings to be
echoed out. My above example is a bit naïve though ? do forgive me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the wp-hackers