2009/6/30 Jake McMurchie <
jake.mcmurchie@...>
> ...... no security vulnerabilities have been made public with
> 2.7/2.7.1 (that I'm aware of) and 2.8 has not been advertised as a required
> upgrade for security purposes.
While there hasn't been anything (at least in public) about vulnerabilities,
2.8 includes security improvements, such as these...
- Refactor filters to avoid potential XSS attacks
- Deprecate wp_specialchars() in favor of esc_html(). Encode quotes for
esc_html() as in esc_attr(), to improve plugin
security<
http://codex.wordpress.org/Data_Validation>(ref. Development
Updates <
http://wpdevel.wordpress.com/tag/escaping/>)
(From:
http://codex.wordpress.org/Version_2.8)
So, from the point of enhanced security its a worthwhile upgrade.
Performance is better too, although depending on the site this may not be
very noticeable to clients.
I have the same dilemma and have people still on 2.6.5, some of whom are
sticking with that. If it helps, this is the criteria I use to decide
whether to recommend an upgrade.
1. If the server is secure and plugins have been checked for security, and
the user does not want threaded comments - leave as is.
2. If the user adds their own plugins - recommend upgrade.
3. If the site is using plugins that have not yet been updated for 2.8, then
wait.
Lynne
_______________________________________________
wp-hackers mailing list
wp-hackers@...
http://lists.automattic.com/mailman/listinfo/wp-hackers
