[wp-trac] [WordPress Trac] #34281: Allow admins to send users a 'Reset Password' link
WordPress Trac
noreply at wordpress.org
Mon Nov 9 18:08:23 UTC 2015
#34281: Allow admins to send users a 'Reset Password' link
-------------------------------------------------+-------------------------
Reporter: Ipstenu | Owner:
Type: defect (bug) | adamsilverstein
Priority: normal | Status: assigned
Component: Users | Milestone: 4.4
Severity: normal | Version: trunk
Keywords: has-patch needs-testing has- | Resolution:
screenshots needs-refresh | Focuses: javascript
-------------------------------------------------+-------------------------
Comment (by adamsilverstein):
Replying to [comment:22 eventualo]:
Thanks for the updated patch... I will re-test.
> * inside `user-profile.js` file, I updated the `addInlineNotice`
function: now the `resultDiv` prints html, because the output message can
be html, and uses a fadeIn, useful if the user clicks the button again.
How would the response contain HTML? It should only be text unless I am
missing something?
I'm concerned that using .html() opens a security hole because the
response would be evaluated. If an attacker could alter the response, they
could inject JavaScript into the admin page. I'd prefer to stick to text()
which is safer.
Also I'm not sure fadein is appropriate, do we use that anywhere else in
core?
In the previous version of the patch, we disable the button upon response,
preventing duplicate clicks. That part is missing in your latest patch. I
think this better matches what we are doing with the 'Log me out
everywhere else' button right below this button. It might make more sense
to fire right after clicking the button instead of on response.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/34281#comment:23>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list