[wp-trac] Re: [WordPress Trac] #4275: PHP Exec Widgets repeat in WP
2.2 widget implementation
WordPress Trac
wp-trac at lists.automattic.com
Thu May 17 16:59:53 GMT 2007
#4275: PHP Exec Widgets repeat in WP 2.2 widget implementation
---------------------------------+------------------------------------------
Reporter: technosailor | Owner: anonymous
Type: defect | Status: closed
Priority: high | Milestone: 2.2.1
Component: Administration | Version: 2.2
Severity: normal | Resolution: fixed
Keywords: widgets needs-patch |
---------------------------------+------------------------------------------
Comment (by Otto42):
I was unaware of who had access to alter widgets, so I didn't know if it
was a security issue or not. Obviously the admin can change/execute
anything they want.
If you rename it to "code widget" or whatever, then would you always want
it to execute php code as well? Because that's really, really easy.
Just change this:
{{{
<div class="textwidget"><?php echo $text; ?></div>
}}}
to this:
{{{
<div class="textwidget"><?php eval('?>'.$text); ?></div>
}}}
Done and done. Okay, you change all the names and such to make it "code
widget" as well, but this is the only change of substance. It's what makes
all the text get run as PHP.
--
Ticket URL: <http://trac.wordpress.org/ticket/4275#comment:18>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list