WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #37192, comment 12


Ignore:
Timestamp:
08/02/2016 07:11:41 PM (5 years ago)
Author:
ChopinBach
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #37192, comment 12

    initial v1  
    55The API itself is using extremely loose validation.  If we implement this change, (well, it is already implemented) we will potentially need to do a lot more logic in the validation, as we will be relying on loose type and other things.
    66
    7 Potentially, as Joe mentioned in slack, `<script>alert('ZOMG Hacking you Hard')</script>` would by default, the way the WP REST API plugin is currently, now be "valid" input which would need to then be "sanitized".  In its original form, `sanitize_callback()` acted as a fault tolerant white list filter. But because of it being named `sanitize_callback()`, we will now need to move some of that logic into the validation, or provide more robust validation that is not fault tolerant.
     7Potentially, as Joe mentioned in slack, `<script>alert('ZOMG Hacking you Hard')</script>` would by default, the way the WP REST API plugin is currently configured, now be "valid" input which would need to then be "sanitized".  In its original form, `sanitize_callback()` acted as a fault tolerant white list filter. But because of it being named `sanitize_callback()`, we will now need to move some of that logic into the validation, or provide more robust validation that is not fault tolerant.
    88
    99Overall, after thinking about it, this patch is probably good and potentially we should just slap all of the logic into validate callback, so there is not any semantic headaches in the future. I fail to see the harm of what the original implementation was; but I could definitely be wrong.