[wp-trac] Re: [WordPress Trac] #4236: get_theme_data() doesn't
clean up html in theme data.
WordPress Trac
wp-trac at lists.automattic.com
Tue May 8 15:51:53 GMT 2007
#4236: get_theme_data() doesn't clean up html in theme data.
----------------------------+-----------------------------------------------
Reporter: codein | Owner: rob1n
Type: defect | Status: assigned
Priority: high | Milestone: 2.2
Component: Administration | Version: 2.1.3
Severity: normal | Resolution:
Keywords: needs-patch |
----------------------------+-----------------------------------------------
Changes (by rob1n):
* keywords: needs-patch, => needs-patch
* owner: anonymous => rob1n
* status: new => assigned
Comment:
Better yet, KSES. I know for a fact many people use HTML in their
Description to style it up in the admin, so it may not be a complete
solution to just strip the tags or turn them into HTML entities.
Also, how "big" of an XSS risk is this, really? If you've installed a
theme with this in the theme data fields, you already trust the theme
owner by running the PHP code (much more dangerous, really -- passwords,
etc can be sent out) on your server without any limits.
I'm +1 for fixing it, but I'm not so sure about the high priority of this.
Also, while we're at it, we could also filter it in get_plugin_data().
--
Ticket URL: <http://trac.wordpress.org/ticket/4236#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list