[wp-hackers] Potential (security) issue with Twenty Ten?

Mike Little wordpress at zed1.com
Thu Jan 6 12:34:17 UTC 2011

On 6 January 2011 12:01, Peter Westwood <peter.westwood at ftwr.co.uk> wrote:

> Hi,
> On 6 Jan 2011, at 11:26, Bjorn Wijers wrote:
> > Not sure if this is the right place to discuss this, so please point me
> in the right direction if this should be discussed somewhere else...
> >
> If you think you have found a security issue then you should contact the
> security "team" as documented here:
> http://codex.wordpress.org/Reporting_Bugs#Reporting_security_issues
and never on a public mailing list!

>  > I was looking at Twenty Ten and noticed this piece of code below the
> theme textdomain loading in the functions.php:
> > ...
> > 93 $locale = get_locale();
> >
> > ... Also the $locale, as far as I can see although I haven't dived into
> it, does not get escaped. Somehow this looks kinda funky.
> >

$locale does not come from the outside world; only from setting in
wp-config.php or a plugin or theme that can filter the value. Therefore it
does not need escaping.
A simple check of the get_locale() function would have verified that.

Mike Little

More information about the wp-hackers mailing list