[wp-hackers] Potential (security) issue with Twenty Ten?
wordpress at zed1.com
Thu Jan 6 12:34:17 UTC 2011
On 6 January 2011 12:01, Peter Westwood <peter.westwood at ftwr.co.uk> wrote:
> On 6 Jan 2011, at 11:26, Bjorn Wijers wrote:
> > Not sure if this is the right place to discuss this, so please point me
> in the right direction if this should be discussed somewhere else...
> If you think you have found a security issue then you should contact the
> security "team" as documented here:
and never on a public mailing list!
> > I was looking at Twenty Ten and noticed this piece of code below the
> theme textdomain loading in the functions.php:
> > ...
> > 93 $locale = get_locale();
> > ... Also the $locale, as far as I can see although I haven't dived into
> it, does not get escaped. Somehow this looks kinda funky.
$locale does not come from the outside world; only from setting in
wp-config.php or a plugin or theme that can filter the value. Therefore it
does not need escaping.
A simple check of the get_locale() function would have verified that.
More information about the wp-hackers