[wp-trac] [WordPress Trac] #20812: Don't allow unfiltered HTML comments from a frame
WordPress Trac
wp-trac at lists.automattic.com
Fri Jun 1 20:30:50 UTC 2012
#20812: Don't allow unfiltered HTML comments from a frame
-------------------------+------------------------------
Reporter: nacin | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 3.4
Component: Security | Version:
Severity: normal | Keywords: has-patch commit
-------------------------+------------------------------
As of #12293 we issue a X-Frame-Options header in the admin and on wp-
login.php. We avoided this for the frontend, as we need to balance
security and usability on this. Many sites are loaded in frames, often
without the knowledge or foresight of the administrator (think Stumbleupon
and other toolbars).
We have not classified the posting of a comment in itself a vulnerability,
whether via CSRF or an email imposter. We guard against CSRF for
unfiltered HTML. We should also guard against frames.
The attached patch also prevents a comment with unfiltered HTML when the
form is loaded within a frame. It does this by using JavaScript to, under
the right circumstances, rename the input nonce to the ''correct'' name.
By enabling it when we are in the top frame, rather than disabling it when
we are not, we prevent issues relating to a browser's reflective XSS
filter being used to kill the JS. The JS ''has'' to run to make it work.
The patch also provides a basic enhancement for our kses comment filtering
by allowing the post filters (wp_filter_post_kses), rather than the
comment filters (wp_filter_kses), to be applied if the user has
unfiltered_html. Thus, if the nonce fails in wp-comments-post.php, and we
call kses_init_filters(), the Editor or Administrator will still be able
to use more HTML than usual. This alleviates issues when the user is not
executing JavaScript. (In 3.5, I would like to provide for post filtering
for comments by any Author or above, but this is a start.)
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20812>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list