Opened 15 years ago
Closed 14 years ago
#2267 closed defect (bug) (fixed)
'%' in comment author's URLs is incorrectly stripped out.
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | high | |
Severity: | normal | Version: | 2.0.5 |
Component: | General | Keywords: | has-patch 2nd-opinion dev-feedback security |
Focuses: | Cc: |
Description
'%' in comment author's URLs is incorrectly stripped out. For example, a url like:
http://www.example.com/%e5%a4%a7%e9%9b%be%e7%ac%bc%e7%bd%a9%e5%8d%97%e4%ba%ac/
will be stripped out as:
http://www.example.com/e5a4a7e99bbee7acbce7bda9e58d97e4baac/.
Solution:
in wp-includes/comment-functions.php, line 214:
replace
$url = preg_replace('|[a-z0-9-~+_.?#=&;,/:]|i', , $url);
with:
$url = preg_replace('|[a-z0-9-~+_.?#=&;,/:%]|i', , $url);
Attachments (1)
Change History (11)
#3
@
15 years ago
- Keywords bg|2nd-opinion bg|dev-feedback added; percent-sign removed
This needs significant analysis and testing. Yes, percents are the preferred way to encode entities in a URL. However, this might open up the author URL to XSS (cross-site scripting) vulnerabilities by encoding entities that are used to exploit *cough* browsers like IE and NS.
#4
@
15 years ago
Wordpress serves as a blog software for me in UTF-8 encoding. And the majority of my blog posts are in Chinese. IE and Mozilla/NS/Firefox all send percent-encoded URLs or POSTed form values. If percents are stripped out, all CJK characters (maybe in other languages) will be unavailable to use in comment author URLs and trackback pings.
#7
@
14 years ago
- Keywords has-patch 2nd-opinion dev-feedback added; bg|has-patch bg|2nd-opinion bg|dev-feedback removed
add percent sign to the regular expression replacement in clean_url()