[wp-trac] Re: [WordPress Trac] #4720: Users without unfiltered_html
capability can post arbitrary html
WordPress Trac
wp-trac at lists.automattic.com
Tue Aug 14 19:21:02 GMT 2007
#4720: Users without unfiltered_html capability can post arbitrary html
-----------------------+----------------------------------------------------
Reporter: xknown | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.2.3
Component: Security | Version: 2.2.2
Severity: major | Resolution:
Keywords: has-patch |
-----------------------+----------------------------------------------------
Comment (by xknown):
Replying to [comment:2 JeremyVisser]:
> I can't reproduce on WP 2.2.2. Can you provide exact steps to reproduce
this? Are you sure this happens on a fresh installation of WordPress?
Perhaps a plugin is causing this?
>
> Trunk is definitely not vulnerable, as grepping the source tree doesn't
return anything for a search of 'no_filter'.
Try the following [http://pastebin.com/m4c0fb5c3 bookmarklet] on wp-admin
/post-new.php, it should work on WP 2.2.x
--
Ticket URL: <http://trac.wordpress.org/ticket/4720#comment:6>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list