[wp-trac] [WordPress Trac] #19577: Comment 'Quick Edit' email field contains Javascript code

Fri Dec 16 13:57:56 UTC 2011

#19577: Comment 'Quick Edit' email field contains Javascript code
--------------------------+-----------------------------
 Reporter:  djpeanut      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  UI            |    Version:  3.3
 Severity:  normal        |   Keywords:
--------------------------+-----------------------------
 This is for WP3.3.

 When I use the Edit Comments page in the back end and choose the 'quick
 edit' option for a given comment (any comment), the email field appears to
 contain both the email address and then a piece of Javascript code:

 {{{
 email at domain.com/* <![CDATA[ */(function(){try{var
 s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();/*
 ]]> */
 }}}

 Saving the comment then strips this down so the original commenter's email
 address becomes

 {{{
 email at domain.comCDATAfunctiontryvarsaijrcldocument.getElementByIdcfemailal.classNameifasrparse
 }}}

 This doesn't happen with the full blown 'Edit' dialog, just the Ajax
 'quick edit'

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/19577>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software