[wp-trac] Re: [WordPress Trac] #4236: get_theme_data() doesn't
clean up html in theme data.
WordPress Trac
wp-trac at lists.automattic.com
Tue May 8 15:27:33 GMT 2007
#4236: get_theme_data() doesn't clean up html in theme data.
----------------------------+-----------------------------------------------
Reporter: codein | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.4
Component: Administration | Version: 2.1.3
Severity: normal | Resolution:
Keywords: needs-patch, |
----------------------------+-----------------------------------------------
Changes (by Otto42):
* priority: normal => high
* version: => 2.1.3
* summary: XSS in template header of the styles.css => get_theme_data()
doesn't clean up html in theme data.
Comment:
This isn't a specific XSS type of bug. The stuff pulled from the template
file is not cleaned up at all, so any HTML in the theme there will show up
as is on the admin pages. In theory, you could use this to steal
somebody's login cookies or something if you could get them to install
your theme. They wouldn't need to activate it, just to load the
Presentation page.
The problem could be fixed in get_theme_data() in wp-includes/theme.php.
Suggestion: Modify get_theme_data() to run strip_tags() on everything it
pulls out of the template.
Alternate suggestion: Modify get_theme_data() to run htmlentities() on
that stuff instead (thus allowing greater than and less than signs in the
text).
--
Ticket URL: <http://trac.wordpress.org/ticket/4236#comment:1>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list