[wp-trac] Re: [WordPress Trac] #4344: Posting comments from
external websites
WordPress Trac
wp-trac at lists.automattic.com
Sun May 27 11:32:52 GMT 2007
#4344: Posting comments from external websites
-----------------------+----------------------------------------------------
Reporter: PsychoGun | Owner: anonymous
Type: defect | Status: closed
Priority: high | Milestone:
Component: Security | Version:
Severity: normal | Resolution: invalid
Keywords: |
-----------------------+----------------------------------------------------
Changes (by westi):
* status: reopened => closed
* resolution: => invalid
Comment:
This is protected by a nonce check for any user with unfiltered html:
default-filters.php - Adds a nonce to the comment form:
http://trac.wordpress.org/browser/tags/2.2/wp-includes/default-
filters.php#L34
comment-template.php - nonce is added using this code:
http://trac.wordpress.org/browser/trunk/wp-includes/comment-
template.php#L274
wp-comments-post.php - and nonce is checked here:
http://trac.wordpress.org/browser/tags/2.2/wp-comments-post.php#L38
This means that any comment post by the admin - or any other user with the
unfiltered html capability must have a valid nonce or the comment is
filtered as it would be for any other user using kses.
Therefore this report is invalid.
--
Ticket URL: <http://trac.wordpress.org/ticket/4344#comment:6>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list