[wp-trac] Re: [WordPress Trac] #8767: Refactored filters to avoid
potential XSS attacks
WordPress Trac
wp-trac at lists.automattic.com
Sun Jan 4 14:32:27 GMT 2009
#8767: Refactored filters to avoid potential XSS attacks
-------------------------------------------+--------------------------------
Reporter: sambauers | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.7.1
Component: Security | Version: 2.7
Severity: major | Resolution:
Keywords: has-patch, needs-testing, XSS |
-------------------------------------------+--------------------------------
Comment (by link92):
wp_check_invalid_utf8() uses PCRE to check UTF-8 validity.
Of note:
* PCRE before 4.5 (by default PHP < 4.3.5) didn't check for overlong
sequences.
* PCRE before 7.3 (by default PHP4 < 4.4.9; PHP5 < 5.2.5) allowed six
byte sequences.
As WP supports back to PHP 4.3.0, if you want to check for UTF-8 validity,
it won't do.
--
Ticket URL: <http://trac.wordpress.org/ticket/8767#comment:6>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list