[wp-trac] [WordPress Trac] #27574: ID3 data should be editable
WordPress Trac
noreply at wordpress.org
Tue Apr 8 05:24:24 UTC 2014
#27574: ID3 data should be editable
----------------------------+-----------------------
Reporter: wonderboymusic | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone: 3.9
Component: Media | Version: 3.6
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
----------------------------+-----------------------
Comment (by nacin):
We're going to need to revert [27960] and restoring escaping added in
[27869].
This allows for XSS within the editor. Our rule is that even an admin with
unfiltered HTML cannot cause admin-area XSS. This obviously is not a major
vulnerability, but rather defense-in-depth.
We would have to go between {{ and {{{ based on is_admin(), I guess. I
don't love that, either. It also means HTML will be represented as HTML
rather than rendered (not a big deal). I don't know the solution for this.
Let's have a new, targeted ticket and we can figure it out during 3.9 RC.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27574#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list