[wp-trac] [WordPress Trac] #11701: Constructing URIs using the slug (post_name) can result in arbitrary characters being passed through to the final HTML
WordPress Trac
wp-trac at lists.automattic.com
Mon May 3 17:32:10 UTC 2010
#11701: Constructing URIs using the slug (post_name) can result in arbitrary
characters being passed through to the final HTML
--------------------------+-------------------------------------------------
Reporter: jaylett | Owner:
Type: defect (bug) | Status: reopened
Priority: low | Milestone:
Component: General | Version: 2.9
Severity: normal | Resolution:
Keywords: |
--------------------------+-------------------------------------------------
Changes (by jaylett):
* status: closed => reopened
* resolution: worksforme =>
Comment:
[Hadn't previously set an email address on my account, so didn't get
notification of an update to this.]
Re-opening to state my position somewhat more clearly:
* it's niche because input validation means that Wordpress will not
construct such a `post_name` in the normal course of events
* however niche doesn't mean irrelevant; by "…should never happen…" I
really mean "…should never happen in the vast majority of cases…"
* in particular I don't believe that the data model is sufficiently
protected to be able to state that this is an invariant; it's more of a
hope
* in any case, even if that weren't the case, I'd expect documentation
(in `wp-admin/includes/schema.php`) of this invariant
At the moment, it's too easy for import utils, or plugins doing freaky
things, to get this wrong. I'm arguing strongly for ensuring that no
matter what going into the database, the output layer doesn't break *and
additionally* for suitable input sanitisation (which is already in place
here).
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11701#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list