[wp-trac] Re: [WordPress Trac] #8767: Refactored filters to avoid
potential XSS attacks
WordPress Trac
wp-trac at lists.automattic.com
Sat Jan 3 00:49:54 GMT 2009
#8767: Refactored filters to avoid potential XSS attacks
-------------------------------------------+--------------------------------
Reporter: sambauers | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.7.1
Component: Security | Version: 2.7
Severity: major | Resolution:
Keywords: has-patch, needs-testing, XSS |
-------------------------------------------+--------------------------------
Comment (by sambauers):
Replying to [comment:3 miqrogroove]:
> I'm also concerned about the return ''; statements. This is not typical
of UTF-8 sanitizers.
If wp_check_invalid_utf8() encounters bad UTF8 the default behaviour is to
return an empty string. It can also attempt to strip the bad chars if
desired, but the default is more secure. Bad UTF8 chars in a UTF8 poor
browser (like IE6) can do very unpredictable things, so blanking the
string is the best approach.
In that sense it is less like a sanitiser and more like a validator.
--
Ticket URL: <http://trac.wordpress.org/ticket/8767#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list