[wp-trac] Re: [WordPress Trac] #4236: get_theme_data() doesn't clean up html in theme data.

WordPress Trac wp-trac at lists.automattic.com
Tue May 8 15:51:53 GMT 2007


#4236: get_theme_data() doesn't clean up html in theme data.
----------------------------+-----------------------------------------------
 Reporter:  codein          |        Owner:  rob1n   
     Type:  defect          |       Status:  assigned
 Priority:  high            |    Milestone:  2.2     
Component:  Administration  |      Version:  2.1.3   
 Severity:  normal          |   Resolution:          
 Keywords:  needs-patch     |  
----------------------------+-----------------------------------------------
Changes (by rob1n):

  * keywords:  needs-patch, => needs-patch
  * owner:  anonymous => rob1n
  * status:  new => assigned

Comment:

 Better yet, KSES. I know for a fact many people use HTML in their
 Description to style it up in the admin, so it may not be a complete
 solution to just strip the tags or turn them into HTML entities.

 Also, how "big" of an XSS risk is this, really? If you've installed a
 theme with this in the theme data fields, you already trust the theme
 owner by running the PHP code (much more dangerous, really -- passwords,
 etc can be sent out) on your server without any limits.

 I'm +1 for fixing it, but I'm not so sure about the high priority of this.

 Also, while we're at it, we could also filter it in get_plugin_data().

-- 
Ticket URL: <http://trac.wordpress.org/ticket/4236#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list