WordPress.org

Ready to get started?Download WordPress

Forums

Weblog's title is not shown in Admin-Panel (possible XSS) (4 posts)

  1. rellek
    Member
    Posted 8 years ago #

    hi there,

    my weblog (well, to be honest, when i installed it, it was just for fun, but doesn't matter) may be has a crazy name, ok. it is called "<!DEBUG[information]>". and that's also the point where i think a htmlentities() is missing - in admin panel the name is not shown in left upper corner (because its name starts like a comment-tag in html because < is not converted)...

    look here what i mean:
    http://img307.imageshack.us/img307/9057/wp9ob.png

    yeah, maybe it's only a small bug and maybe this xss is not dangerous, but it's not too nice that the name is not shown at that place...

    i hope that bug hasn't been already reported - please excuse if it was...

    ps: i have WordPress 2.0.2, but the german edition...

    yours,
    rellek

  2. davidchait
    Member
    Posted 8 years ago #

    Don't know why this has anything to do with XSS. if you think it does, email the security list.

    Otherwise... You're blog title has < and > around it. Look familiar? Oh yeah, those are characters that enclose <b>HTML tags</b>... ;) Don't do that. The system is probably stripping the tag out for security -- but you are right, it could have done an htmlentities call on it. why don't you just have it be "DEBUG[information]" which looks much cleaner anyway?

    -d

  3. rellek
    Member
    Posted 8 years ago #

    I think it does not matter how the weblog is called and why the < and >-signs are used - as I told I installed it just for fun (at first).
    At all other sites (well, I haven't found any where it isn't yet, except Administration) that characters are converted to their XHTML-expressions, but not in Admin-Panel.

    Do you have an email-adress where I could report this?
    Sorry, I'm new to Word-Press ... :(

    Thanks in advice :-)

  4. davidchait
    Member
    Posted 8 years ago #

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.