[wp-trac] [WordPress Trac] #3396: Plugin version,
etc. not sanitized like description is
WordPress Trac
wp-trac at lists.automattic.com
Tue Nov 28 00:21:52 GMT 2006
#3396: Plugin version, etc. not sanitized like description is
----------------------------+-----------------------------------------------
Reporter: Viper007Bond | Owner: anonymous
Type: defect | Status: new
Priority: lowest | Milestone: 2.1
Component: Administration | Version: 2.1
Severity: minor | Keywords:
----------------------------+-----------------------------------------------
We sanitize plugin descriptions with kses, so why not the version and
such?
Try this in a plugin for example:
{{{
Version: 1.0 <script type="text/javascript">alert('I haxz0red your
PC!');</script>
}}}
Now of course plugin authors could just put bad JS into the plugin itself,
so this isn't really a security ticket, more a "let's-do-the-same-thing-
to-all-fields" ticket (either sanitize them all or none).
--
Ticket URL: <http://trac.wordpress.org/ticket/3396>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list