WordPress.org

Ready to get started?Download WordPress

Forums

Live Comment Preview
[resolved] Xss in 2.0.1 (2 posts)

  1. Busindre
    Member
    Posted 2 years ago #

    Hi Brad.
    HTML tags are not stripped from the preview in field "Name" and "Web site". I think that HTML tags should not be allowed.

    Xss example: <iframe src="http://ha.ckers.org/scriptlet.html">
    Thank you.

    http://wordpress.org/extend/plugins/live-comment-preview/

  2. Brad Touesnard
    Member
    Plugin Author

    Posted 1 year ago #

    Before the quote appears on the site for everyone else, it is run through the usual server-side filters to strip tags and whatever else is usually done. Yes, the user could inject an iframe or whatever other HTML they like on their own screen, but it will be stripped when they submit their comment and will not show up for others. Therefore, it's not an XSS vulnerability.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic