[wp-trac] [WordPress Trac] #24301: Unescaped user input in image preview

WordPress Trac noreply at wordpress.org
Fri May 10 15:00:31 UTC 2013


#24301: Unescaped user input in image preview
--------------------------+--------------------
 Reporter:  tollmanz      |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  high          |   Milestone:  3.6
Component:  Post Formats  |     Version:  trunk
 Severity:  major         |  Resolution:
 Keywords:                |
--------------------------+--------------------

Comment (by tollmanz):

 @kovshenin Your point is well taken; however, the problem that I see if
 that if a user mistakenly messes up the HTML, the display is broken:

 [[Image(http://f.cl.ly/items/2w1Y1G322u1Y0I2i1d2a/broken-display.png)]]

 Because the HTML is broken, I cannot fix the issue without manually
 correcting the HTML in Web Inspector/Firebug. In similar situations when
 unfiltered HTML is allowed, the admin display does not have the potential
 to break because the HTML is not rendered back to the screen (e.g., the
 WordPress editor, text widgets).

 As an example, if I enter `<img src="http://placehold.it/200x200 />` into
 the text tab of the WP editor and save the post, I get `<img
 src="http://placehold.it/200x200 />` back, the same content that I
 entered. Interestingly, if I enter that content into the text tab, switch
 to the visual tab, then switch back, the content changes to `<img alt=""
 src=""http://placehold.it/200x200" />`. It seems it tries to fix the
 broken content. Perhaps it is reasonable to use this same escaping
 strategy?

 Even though we might be able to trust users with these permissions more, I
 still think it is quite important to escape this user output in some way.
 If the escaping breaks the inputted HTML, yet saves the page display, this
 is probably a good thing as it will fix serious issues for the user with
 the frontend display of the content. Not to mention, there is likely a way
 to abuse this maliciously.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/24301#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list