[wp-trac] [WordPress Trac] #24301: Unescaped user input in image preview
WordPress Trac
noreply at wordpress.org
Wed May 22 17:12:58 UTC 2013
#24301: Unescaped user input in image preview
--------------------------+--------------------
Reporter: tollmanz | Owner:
Type: defect (bug) | Status: new
Priority: high | Milestone: 3.6
Component: Post Formats | Version: trunk
Severity: major | Resolution:
Keywords: has-patch |
--------------------------+--------------------
Comment (by georgestephanis):
Replying to [comment:18 markjaquith]:
> I've come across video services in the past that have utilized
`<script>` tags.
For the sake of security, I'd definitely not allow script embeds.
I think we need to draw the line somewhere, and I'd personally like to say
we'll just accept videos from oEmbed providers -- potentially even if
they're not whitelisted to allow for future growth?
That being improbable for a good UX experience, patch forthcoming with the
allowed tags in a filter to let the users add new ones if they want.
Default to higher security, but they can add <script> in if they want.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24301#comment:19>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list