[wp-trac] [WordPress Trac] #10751: kses filter fields when displaying
WordPress Trac
wp-trac at lists.automattic.com
Tue Sep 8 20:03:31 UTC 2009
#10751: kses filter fields when displaying
--------------------------+-------------------------------------------------
Reporter: ryan | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.9
Component: Security | Version:
Severity: normal | Keywords:
--------------------------+-------------------------------------------------
Currently, some DB fields are trusted when being displayed. Usually this
is fine since everything is run through kses upon save. However, some
recent attacks have manipulated DB values to cover their tracks, making DB
information untrustworthy. Where possible, we should run values through
kses not just upon save, but upon display as well. This would thwart the
recent example where the first_name field was modified to contain JS that
hid a bogus admin user.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10751>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list