[wp-hackers] Security at Wordpress
Elliotte Harold
elharo at metalab.unc.edu
Mon Apr 24 13:16:58 GMT 2006
Andy Skelton wrote:
> Still, if you removed the ability to do everything via GET, how am I
> going to approve comments from my email with a single click, assuming
> I don't allow HTML in my emails? I think that's the actual bar. It may
> be unreasonable from a pure security standpoint but the convenience is
> more routinely visible than the security.
Comments shouldn't be approved via GET, especially given the active and
growing attacks by comment spammers. Even without those leeches to worry
about, some mail clients including GMail will automatically approve all
such comments. See
http://cafe.elharo.com/web/rest-mistake-1-confirming-gets/
--
Elliotte Rusty Harold elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
http://www.cafeconleche.org/books/xian3/
http://www.amazon.com/exec/obidos/ISBN=0596007647/cafeaulaitA/ref=nosim
More information about the wp-hackers
mailing list