[wp-trac] [WordPress Trac] #14758: Do not run kses on display filters for front page views
WordPress Trac
wp-trac at lists.automattic.com
Thu Sep 2 22:20:40 UTC 2010
#14758: Do not run kses on display filters for front page views
-------------------------+--------------------------------------------------
Reporter: ryan | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 3.1
Component: Performance | Version:
Severity: normal | Keywords:
-------------------------+--------------------------------------------------
Comment(by Denis-de-Bernardy):
Replying to [comment:5 nacin]:
> I believe we are still properly escaping in attributes and such.
Try manually updating, into your database, a category and set its
description to:
{{{
XSS<script>alert('Evil script that exploits an IE security
hole');</script>
}}}
And then visit that category on your site's front page. Assuming it gets
displayed on your theme, I would assume [15559] allows the alert to show.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/14758#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list