[wp-trac] Re: [WordPress Trac] #4720: Users without unfiltered_html
capability can post arbitrary html
WordPress Trac
wp-trac at lists.automattic.com
Wed Aug 15 16:47:20 GMT 2007
#4720: Users without unfiltered_html capability can post arbitrary html
-----------------------+----------------------------------------------------
Reporter: xknown | Owner: anonymous
Type: defect | Status: reopened
Priority: high | Milestone: 2.2.3
Component: Security | Version: 2.2.2
Severity: major | Resolution:
Keywords: has-patch |
-----------------------+----------------------------------------------------
Comment (by Otto42):
Okay, I see the $no_filter in wp-includes/post.php, however I still fail
to see how this would be expected to work. Nothing sets $no_filter
anywhere. You might be able to set it if you had register_globals on
(which no sane host has), however wp_unregister_GLOBALS() should unset
$no_filter even in that case, when wp-settings.php gets included.
I see no possible way that this can actually work, even with 2.2.2. What
am I missing here?
--
Ticket URL: <http://trac.wordpress.org/ticket/4720#comment:10>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list