Serious Security Concern

First, I would like to say this plugin works great, minus a serious security concern that I have noticed just very recently. I have about 10 different shortcodes created in shortcoder that all work wonderfully all across a marketing site, except I noticed one shortcode in particular was broken tonight.

The purpose of this shortcode is a call to action that sits at the bottom of every blogpost the site has. It contains some super simple HTML: a div, with an h2 heading, and a button that links to a request demo page.

However, the security concern, is that for some reason, shortcoder seems to be inserting a “<b contenteditable=”true”>” tag around the entire contents of this shortcode.

What does this do? Well, it allows anyone viewing the public facing site to change any of the information inside of the shortcode like they were working in a text editor. Obviously, I do not need to discuss any further why I believe this is a security concern, as this could be potentially used by attackers to inject code into the website.

I have temporarily disabled that ability by attaching “contenteditable=false” tags to each of the elements in the shortcode.I still recommend this plugin, as it has saved me countless amounts of hours.

P.S. I would be glad to send a link to the creator of this plugin so he can see for himself, but I will not be posting it for anyone else, sorry.

• This topic was modified 8 years, 7 months ago by dzuz14.
• This topic was modified 8 years, 7 months ago by dzuz14.
• This topic was modified 8 years, 7 months ago by dzuz14.

The page I need help with: [log in to see the link]