WordPress.org

Ready to get started?Download WordPress

Forums

XSS in post.php (5 posts)

  1. pedrojrulez
    Member
    Posted 9 years ago #

    It's possible to achieve some attacks (like phising) by
    performing a post like this (from wp-admin/post.php):

    <script>window.location=String.fromCharCode(104,116,116,112,...);</script>

    As WP won't dump quotes -but &#...;-, you must build
    the URL by passing UNICODE character codes to
    String.fromCharCode().

    (Tested with Firefox 1.0.2, IE 6.0, WP 1.5 under Fedora
    Core 3, PHP 4.3.10.)

  2. Matt Mullenweg
    Troublemaker
    Posted 9 years ago #

    So you're saying that you can post content in your admin area and then people who see your blog will see that content? WP does not sanitize posts, whatever you put in there is shown to your blog visitors.

  3. Dougal Campbell
    Member
    Posted 9 years ago #

    Right, this is not any kind of "bug" in WP. If you can't trust a user to not publish "unsafe" code, then you probably shouldn't be giving them post permissions.

    That said, it would probably be trivial to whip up a plugin that would filter post content through kses for users below a certain level, just as comments currently are.

  4. chuyskywalker
    Member
    Posted 9 years ago #

    Heh...

  5. davidhouse
    Member
    Posted 9 years ago #

    This is surely possible with or without WordPress. Like dougal said, if you can't trust an author, don't make them an author.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.