[wp-trac] Re: [WordPress Trac] #4236: get_theme_data() doesn't
clean up html in theme data.
WordPress Trac
wp-trac at lists.automattic.com
Wed May 9 18:29:20 GMT 2007
#4236: get_theme_data() doesn't clean up html in theme data.
----------------------------+-----------------------------------------------
Reporter: codein | Owner: rob1n
Type: defect | Status: assigned
Priority: high | Milestone: 2.3
Component: Administration | Version: 2.1.3
Severity: normal | Resolution:
Keywords: needs-patch |
----------------------------+-----------------------------------------------
Comment (by Otto42):
I don't see it as a particularly big deal, however it could be a way for
somebody to get further into your site, if they were able to somehow add
some malicious code to any installed theme's CSS file but not get into
anything else.
The only "big deal" is the fact that they could make some HTML that would
be active on your admin pages the moment you went to the Presentation tab,
by inserting it into the name field. The theme doesn't have to be
activated, the name is loaded and displayed there regardless.
--
Ticket URL: <http://trac.wordpress.org/ticket/4236#comment:5>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list