[wp-trac] [WordPress Trac] #34831: WP oEmbed: Validate the "Secret" When Used in `document.querySelectorAll()`
WordPress Trac
noreply at wordpress.org
Thu Dec 3 20:16:30 UTC 2015
#34831: WP oEmbed: Validate the "Secret" When Used in `document.querySelectorAll()`
--------------------------+-------------------------
Reporter: mdawaffe | Owner: mdawaffe
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 4.4
Component: Embeds | Version: trunk
Severity: normal | Resolution: fixed
Keywords: has-patch | Focuses: javascript
--------------------------+-------------------------
Changes (by wonderboymusic):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"35761"]:
{{{
#!CommitTicketReference repository="" revision="35761"
WP oEmbed: validate the `secret` send via `postMessage` in
`wp.receiveEmbedMessage`. Also, compare `window` instances.
In the data sent to us from the embedded iframe by postMessage(), the
secret value is being used directly in a document.querySelectorAll() call
without first being validated or escaped.
In theory, this could lead to some broken embeds.
Props mdawaffe.
Fixes #34831.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/34831#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list