Support » Fixing WordPress » Strip or forbid Javascript in comments

  • A friend’s WP blog got slashdotted. Not fun at all: 10GB of traffic in 4 days, 95585 unique visitors. All of them kicking tyres and trying to be smart.

    One of these clever sheep placed a javascript endless loop in his comment. The only way out is to kill your browser process, this exploit works under ie, firefox and opera, for windows. I could try the same here but it wouldn’t be polite.

    How do I strip or disable javascript for comments. Specifically onmouseover events? I just replicated the exact problem in a comment on my blog.

Viewing 4 replies - 1 through 4 (of 4 total)
  • normally, this is built-in. wp only allows a limited set of tags. then again, various tricks once allowed to bypass php’s strip_tags function, e.g. <scr<script>ipt>. was any dirty trick used?

    I’m not sure if my friend kept the source or just deleted the post…

    I just did a test comment to my blog and without any dirty tricks. I just created an anchor with a onmouseover event. The endless loop activated.

    So how do we strip or stop an onmouseover exploit?



    Given there isn’t a lot response here I’ll illustrate the exploit. I think bbPress should strip it out the greater thans.

    <a onmouseover=”for(;;)alert(‘endless loop exploit Traps IE, Firefox and Opera.’);”
    href=”″ name=”exploit”>Onmouseover
    exploit: kills IE, Firefox and Opera if you mouseover with javascript enabled. You’ve been warned.

    <a onmouseover="for(;;)alert('endless loop exploit Traps IE, Firefox and Opera.');"
    href="" name="exploit">Onmouseover
    exploit:</a> kills IE, Firefox and Opera if you mouseover with javascript
    enabled. You've been warned.



    Aha! so how is bbPress smart enough to change < to < in the onmouseover link.

    Or am I doing something wrong in creating the link code?

    Here is the link without the onmouseover payload

    No Onmouseover

    Below is with the payload. (If it’s a link DON’T mouseover).

    <a onmouseover=”for(;;)alert(‘endless loop exploit!’);”

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Strip or forbid Javascript in comments’ is closed to new replies.