[wp-trac] [WordPress Trac] #52457: WordPress vulnerable to search-reflected webspam
WordPress Trac
noreply at wordpress.org
Mon Feb 8 16:15:30 UTC 2021
#52457: WordPress vulnerable to search-reflected webspam
-------------------------------------------------+-------------------------
Reporter: abagtcs | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: 5.7
Component: General | Version:
Severity: normal | Resolution:
Keywords: has-patch needs-testing needs-unit- | Focuses: template
tests |
-------------------------------------------------+-------------------------
Changes (by ayeshrajans):
* keywords: => has-patch needs-testing needs-unit-tests
* focuses: => template
Comment:
It's a pretty clever way to spam. The `esc_html` of course helps with XSS,
but the text itself is part of the page.
Suggesting a patch with `add_filter( 'wp_robots', 'wp_robots_no_robots'
);` when the search query is fetched. I think it wouldn't be possible to
track all use cases unless we grep-and-fix `$_REQUEST['s']` for user-
search related pages, but I hope the patch is a start.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52457#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list