[wp-trac] [WordPress Trac] #24301: Unescaped user input in image preview
WordPress Trac
noreply at wordpress.org
Fri May 10 13:06:31 UTC 2013
#24301: Unescaped user input in image preview
--------------------------+--------------------
Reporter: tollmanz | Owner:
Type: defect (bug) | Status: new
Priority: high | Milestone: 3.6
Component: Post Formats | Version: trunk
Severity: major | Resolution:
Keywords: |
--------------------------+--------------------
Comment (by kovshenin):
Note that this breaks for users only with unfiltered_html caps, otherwise
it becomes `<img />` after running through `wp_filter_post_kses`. We
generally know what to expect in these meta fields, so does it make sense
to run kses even if the current user has unfiltered html caps, for whom we
may extend to allow iframe, object, script, etc?
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24301#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list