[wp-hackers] Security Vulnerability found

[Matthew Mullenweg]

Eli Sarver wrote:
> Has this been addressed?
> 
> http://soulblack.com.ar/repo/papers/wordpress_advisory.txt

This is someone looking for recognition by trying to identify a 
non-issue as a problem. WordPress is highly secure by default. Should 
you be worried about this? Not if you haven't been worried by the past 5 
years of blogging software or any other CMS in the world.

That said, I think a default feature restricting users lower than level 
8 to a known subset of HTML would be useful, and will be including a 
future release. A while back Mark Ghosh created the giant array that 
KSES needs to accomplish this, I'm sure he (or I) still have it somewhere.

-- 
Matt Mullenweg
  http://photomatt.net | http://wordpress.org
http://pingomatic.com | http://cnet.com