Wordpress pollutes POST data
|Reported by:||bilge||Owned by:|
|Severity:||critical||Keywords:||post data pollution|
Form data containing quotes is escaped. For example, if a user submits an input field with the name "test" and the value "'", after the form is submitted: $_POSTtest? == "\'".
This is essentially magic_quotes_gpc emulation which is so cancerous that the PHP developers had the good sense to not only deprecate but also remove from the newest versions of PHP, and yet Wordpress sees fit to spread the tumour around some more. All of that is irrelevant, however, when considering that there is no earthly reason to permit any application permission to augment the values of any PHP superglobals and that certainly extends to the POST data collection.
Whether or not I agree that code is poetry is a moot point considering that whoever is responsible for coding this abomination hasn't seen poetic code in their entire lifetime.
Change History (17)
- Milestone 2.8.3 deleted
- Resolution set to wontfix
- Status changed from new to closed