[wp-trac] [WordPress Trac] #34831: WP oEmbed: Validate the "Secret" When Used in `document.querySelectorAll()`
WordPress Trac
noreply at wordpress.org
Thu Dec 3 03:28:12 UTC 2015
#34831: WP oEmbed: Validate the "Secret" When Used in `document.querySelectorAll()`
--------------------------+-----------------------
Reporter: mdawaffe | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.4
Component: Embeds | Version: trunk
Severity: normal | Keywords: has-patch
Focuses: javascript |
--------------------------+-----------------------
In the data sent to us from the embedded iframe by `postMessage()`, the
`secret` value is being used directly in a `document.querySelectorAll()`
call without first being validated or escaped.
In theory, this could lead to some broken embeds.
Suggested hardening patch attached: There's no reason to try and escape
this data correctly. Let's just reject if the secret does not conform to
the format we expect.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/34831>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list