[wp-trac] [WordPress Trac] #39865: Escaping functions have filters that allow them to be bypassed
    WordPress Trac 
    noreply at wordpress.org
       
    Fri Feb 17 14:16:06 UTC 2017
    
    
  
#39865: Escaping functions have filters that allow them to be bypassed
-------------------------------+------------------------------
 Reporter:  welcher            |       Owner:
     Type:  defect (bug)       |      Status:  new
 Priority:  normal             |   Milestone:  Awaiting Review
Component:  Formatting         |     Version:  trunk
 Severity:  normal             |  Resolution:
 Keywords:  2nd-opinion close  |     Focuses:
-------------------------------+------------------------------
Comment (by welcher):
 Replying to [comment:1 dd32]:
 > I really feel this is by-design and should NOT be changed. We shouldn't
 pretend that WordPress operates in a clean sandboxed mode where code can
 only change what it is expected to.
 >
 > Everything is filterable in WordPress, using filters within escaping
 functions allows for enhancing escaping functions where needed, but they
 also make it easier to selectively undo it for certain edge-cases when
 needed - knowing the input text is required there. If people need to use
 the parameter, they're going to use it even if deprecated, otherwise the
 only option would be a hacky workaround.
 While I agree with the concept of filtering all the things, in this case,
 I feel that we're compromising site security for that ideal. If there is a
 use case where some needs to selectively undo the escaping, then perhaps
 not using the function is a better choice than filtering it away. Is there
 a use-case for this in core?
 >
 > If malicious code wanted to output non-escaped test in a location where
 `esc_html()` was used, there'd be numerous ways it could achieve it - the
 simplest would be to output the content upon one of the many filters which
 is probably called within what is going into `esc_html()`.
 I cannot find any other filters being called in the internals of
 `esc_html()` but I see your point.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39865#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
    
    
More information about the wp-trac
mailing list