[wp-hackers] Rethinking check_admin_referer()

Elliotte Harold elharo at metalab.unc.edu
Wed Apr 19 18:46:19 GMT 2006


Matt Mullenweg wrote:
> Elliotte Harold wrote:
>> But is this even allowed? With the default options is it possible to 
>> put a form tag (or an img or script tag) in a comment?
> 
> Of course not, but we're not talking about XSS, we're talking about CSRF.
> 


OK, so the problem is that someone puts a form/link/img on another site 
whose action indicates deleting an article on my site? The they have to 
get me to go there and click it somehow? Am I understanding this?

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
http://www.cafeconleche.org/books/xian3/
http://www.amazon.com/exec/obidos/ISBN=0596007647/cafeaulaitA/ref=nosim


More information about the wp-hackers mailing list