[wp-trac] Re: [WordPress Trac] #4720: Users without unfiltered_html
capability can post arbitrary html
WordPress Trac
wp-trac at lists.automattic.com
Wed Aug 15 16:55:53 GMT 2007
#4720: Users without unfiltered_html capability can post arbitrary html
-----------------------+----------------------------------------------------
Reporter: xknown | Owner: anonymous
Type: defect | Status: reopened
Priority: high | Milestone: 2.2.3
Component: Security | Version: 2.2.2
Severity: major | Resolution:
Keywords: has-patch |
-----------------------+----------------------------------------------------
Comment (by Otto42):
Edit: AH HA! Okay, it only works when you use POST parameters. It will not
work with GET parameters. register_globals is not required.
The problem is this line in admin-functions.php:
$post_ID = wp_insert_post( $_POST );
That's unsafe, you're passing $_POST directly to wp_insert_post, which
then goes on to do an extract() on the variable, setting any local
function variables you like.
The $_POST should be filtered for valid parameters in some fashion before
passing it off to wp_insert_post().
--
Ticket URL: <http://trac.wordpress.org/ticket/4720#comment:12>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list