[wp-trac] [WordPress Trac] #50308: CSS Customizer control field - vulnerabilty against hacks prevention
WordPress Trac
noreply at wordpress.org
Thu Jun 4 07:26:14 UTC 2020
#50308: CSS Customizer control field - vulnerabilty against hacks prevention
-------------------------+------------------------------
Reporter: marcorinia | Owner: (none)
Type: enhancement | Status: assigned
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 5.4.1
Severity: normal | Resolution:
Keywords: close | Focuses:
-------------------------+------------------------------
Comment (by ramon fincken):
Replying to [comment:3 marcorinia]:
> Maybe has @ramonfincken some extra additions/improvements for more
security to add to this security aspect about the CSS standard field in
the Customizer?
Not quite .. there is a capability named unfiltered_html
https://wordpress.org/support/article/roles-and-
capabilities/#unfiltered_html so in line of that you might want to give
only (fully) admin role-level CSS and JS. All others get CSS only.
But.. that does NOT fix any DB injections that will take place with crappy
plugins. You need some filtering. I am not aware of any 100% true positive
regex filter to filter out any bad line of JS.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50308#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list