[wp-trac] [WordPress Trac] #55968: xss string to be treated as simple string

WordPress Trac noreply at wordpress.org
Sun Jun 12 06:11:57 UTC 2022

#55968: xss string to be treated as simple string
 Reporter:  vibhanshujain      |      Owner:  (none)
     Type:  defect (bug)       |     Status:  new
 Priority:  normal             |  Milestone:  Awaiting Review
Component:  Posts, Post Types  |    Version:  trunk
 Severity:  normal             |   Keywords:  needs-patch
  Focuses:                     |
 xss string to be treated as simple string while creating a post from the
 Dashboard or should not be allowed to be saved as draft.

 Current Behaviour:
 wordpress allowed to save post as a draft with xss string however, editing
 of a post is not allowed.

 Expected Behaviour:
 Behaviour should consistent from end user perspective.

 Steps To Reproduce :
 Step-1: Login in WordPress 6.1
 Step-2: Navigate to the Dashboard.
 Step-3: Enter simple xss text for title in quick draft section
 e.g: <svg onload=alert(XSS)>
 Step-4: Click on Save draft to save post as draft
 Step-5: Click on newly created xss titled post to edit the same.

Ticket URL: <https://core.trac.wordpress.org/ticket/55968>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list