[wp-trac] [WordPress Trac] #24301: Unescaped user input in image preview
WordPress Trac
noreply at wordpress.org
Fri May 10 15:00:31 UTC 2013
#24301: Unescaped user input in image preview
--------------------------+--------------------
Reporter: tollmanz | Owner:
Type: defect (bug) | Status: new
Priority: high | Milestone: 3.6
Component: Post Formats | Version: trunk
Severity: major | Resolution:
Keywords: |
--------------------------+--------------------
Comment (by tollmanz):
@kovshenin Your point is well taken; however, the problem that I see if
that if a user mistakenly messes up the HTML, the display is broken:
[[Image(http://f.cl.ly/items/2w1Y1G322u1Y0I2i1d2a/broken-display.png)]]
Because the HTML is broken, I cannot fix the issue without manually
correcting the HTML in Web Inspector/Firebug. In similar situations when
unfiltered HTML is allowed, the admin display does not have the potential
to break because the HTML is not rendered back to the screen (e.g., the
WordPress editor, text widgets).
As an example, if I enter `<img src="http://placehold.it/200x200 />` into
the text tab of the WP editor and save the post, I get `<img
src="http://placehold.it/200x200 />` back, the same content that I
entered. Interestingly, if I enter that content into the text tab, switch
to the visual tab, then switch back, the content changes to `<img alt=""
src=""http://placehold.it/200x200" />`. It seems it tries to fix the
broken content. Perhaps it is reasonable to use this same escaping
strategy?
Even though we might be able to trust users with these permissions more, I
still think it is quite important to escape this user output in some way.
If the escaping breaks the inputted HTML, yet saves the page display, this
is probably a good thing as it will fix serious issues for the user with
the frontend display of the content. Not to mention, there is likely a way
to abuse this maliciously.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24301#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list