[wp-hackers] Rethinking check_admin_referer()
Elliotte Harold
elharo at metalab.unc.edu
Wed Apr 19 18:46:19 GMT 2006
Matt Mullenweg wrote:
> Elliotte Harold wrote:
>> But is this even allowed? With the default options is it possible to
>> put a form tag (or an img or script tag) in a comment?
>
> Of course not, but we're not talking about XSS, we're talking about CSRF.
>
OK, so the problem is that someone puts a form/link/img on another site
whose action indicates deleting an article on my site? The they have to
get me to go there and click it somehow? Am I understanding this?
--
Elliotte Rusty Harold elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
http://www.cafeconleche.org/books/xian3/
http://www.amazon.com/exec/obidos/ISBN=0596007647/cafeaulaitA/ref=nosim
More information about the wp-hackers
mailing list