WordPress.org

Ready to get started?Download WordPress

Forums

My Custom CSS
[resolved] No XSS support (3 posts)

  1. pkucera
    Member
    Posted 2 years ago #

    The My Custom CCS plugin allows the insertion of XSS code. Since the plugin is admin protected it's not as big of a threat, but can still be vulnerable to an inside attack.

    Any code entered into the css editor is simply stored in the options table and then dumped out between style tags on the page. Thus, hackers can simply close the style block, insert a script block, and reopen the style block. Basically any code desired can be injected.

    Like the idea, but looking for another 'clean' plugin for this purpose or may post a fix to this one if I end up using it.

    Regards,

    http://wordpress.org/extend/plugins/my-custom-css/

  2. DarkWolf
    Member
    Plugin Author

    Posted 2 years ago #

    Is only for admin... really, i think isn't necessary to put a cleaner for xss or other code (an hacker inside my admin control panel can also edit a plugin o template ... and insert html or php code ... maybe also with a php shell! Are you sure is a problem an xss in admin panel like this?) :/

  3. DarkWolf
    Member
    Plugin Author

    Posted 1 year ago #

    Fix in this latest update:
    Add strip tag to prevent bad code: http://php.net/manual/en/function.strip-tags.php

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic