[wp-trac] Re: [WordPress Trac] #4236: get_theme_data() doesn't clean up html in theme data.

WordPress Trac wp-trac at lists.automattic.com
Wed May 9 18:29:20 GMT 2007

#4236: get_theme_data() doesn't clean up html in theme data.
 Reporter:  codein          |        Owner:  rob1n   
     Type:  defect          |       Status:  assigned
 Priority:  high            |    Milestone:  2.3     
Component:  Administration  |      Version:  2.1.3   
 Severity:  normal          |   Resolution:          
 Keywords:  needs-patch     |  
Comment (by Otto42):

 I don't see it as a particularly big deal, however it could be a way for
 somebody to get further into your site, if they were able to somehow add
 some malicious code to any installed theme's CSS file but not get into
 anything else.

 The only "big deal" is the fact that they could make some HTML that would
 be active on your admin pages the moment you went to the Presentation tab,
 by inserting it into the name field. The theme doesn't have to be
 activated, the name is loaded and displayed there regardless.

Ticket URL: <http://trac.wordpress.org/ticket/4236#comment:5>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list