[wp-trac] [WordPress Trac] #60703: Improper Input Validation
WordPress Trac
noreply at wordpress.org
Wed Mar 6 06:47:37 UTC 2024
#60703: Improper Input Validation
-------------------------------------------------+-------------------------
Reporter: rakeshchavan | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: General | Version: 6.4.3
Severity: normal | Keywords:
Focuses: administration, template, |
performance, coding-standards |
-------------------------------------------------+-------------------------
URL http://demodomain.com/wp-admin/post-new.php
Input validation on the CMS side.
Assume all input is malicious. Use an "accept known good" input validation
strategy, i.e., use a whitelist of acceptable inputs that strictly conform
to specifications. Reject any input that does not strictly conform to
specifications, or transform it into something that does. When performing
input validation, consider all potentially relevant properties,
including length, type of input, the full range of acceptable values,
missing or extra inputs, syntax, consistency across related fields, and
conformance to business rules. As an example of business rule logic,
"boat" may be syntactically valid because it only contains alphanumeric
characters, but it is not valid if the input is only expected to contain
colors such as "red" or "blue." Do not rely exclusively on looking for
malicious or malformed inputs (i.e., do not rely on a blacklist). A
blacklist is likely to miss at least one undesirable input, especially if
the code's environment changes. This can give attackers enough room to
bypass the intended validation. However, blacklists can be useful for
detecting potential attacks or determining which inputs are so malformed
that they should be rejected outright.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60703>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list