[wp-trac] [WordPress Trac] #24301: Unescaped user input in image preview
WordPress Trac
noreply at wordpress.org
Thu May 9 23:45:53 UTC 2013
#24301: Unescaped user input in image preview
--------------------------+-----------------------------
Reporter: tollmanz | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Post Formats | Version:
Severity: major | Keywords:
--------------------------+-----------------------------
On line 36 of `wp-admin/includes/post-formats.php` as of r24227, user
inputted data is printed to the screen without being escaped. The data is
the fourth fallback for the image data.
To recreate the issue:
1. Go to Posts > Add New.
2. Click the Image post format icon.
3. Click "use an image URL or HTML".
4. Enter `<img src="http://placehold.it/200x200 />`, being sure to omit
the last `"`.
5. Enter a title.
6. Save the post.
7. Things are messed up.
The problem is that on line 36 of `wp-admin/includes/post-formats.php` a
value is printed directly to the screen without being escaped. I am not
sure how this should be fixed as not all mangled HTML can be repaired;
however, I do not think that unescaped user input should be printed to the
screen like this. My example is annoying, but harmless. This seems like
something that is exploitable.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24301>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list