Support » Plugin: My Custom CSS » [Plugin: My Custom CSS] No XSS support

  • Resolved pkucera

    (@pkucera)


    The My Custom CCS plugin allows the insertion of XSS code. Since the plugin is admin protected it’s not as big of a threat, but can still be vulnerable to an inside attack.

    Any code entered into the css editor is simply stored in the options table and then dumped out between style tags on the page. Thus, hackers can simply close the style block, insert a script block, and reopen the style block. Basically any code desired can be injected.

    Like the idea, but looking for another ‘clean’ plugin for this purpose or may post a fix to this one if I end up using it.

    Regards,

    http://wordpress.org/extend/plugins/my-custom-css/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Salvatore

    (@darkwolf)

    Is only for admin… really, i think isn’t necessary to put a cleaner for xss or other code (an hacker inside my admin control panel can also edit a plugin o template … and insert html or php code … maybe also with a php shell! Are you sure is a problem an xss in admin panel like this?) :/

    Plugin Author Salvatore

    (@darkwolf)

    Fix in this latest update:
    Add strip tag to prevent bad code: http://php.net/manual/en/function.strip-tags.php

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Plugin: My Custom CSS] No XSS support’ is closed to new replies.