Support » Requests and Feedback » Weblog’s title is not shown in Admin-Panel (possible XSS)

  • hi there,

    my weblog (well, to be honest, when i installed it, it was just for fun, but doesn’t matter) may be has a crazy name, ok. it is called “<!DEBUG[information]>”. and that’s also the point where i think a htmlentities() is missing – in admin panel the name is not shown in left upper corner (because its name starts like a comment-tag in html because < is not converted)…

    look here what i mean:

    yeah, maybe it’s only a small bug and maybe this xss is not dangerous, but it’s not too nice that the name is not shown at that place…

    i hope that bug hasn’t been already reported – please excuse if it was…

    ps: i have WordPress 2.0.2, but the german edition…


Viewing 3 replies - 1 through 3 (of 3 total)
  • Don’t know why this has anything to do with XSS. if you think it does, email the security list.

    Otherwise… You’re blog title has < and > around it. Look familiar? Oh yeah, those are characters that enclose <b>HTML tags</b>… 😉 Don’t do that. The system is probably stripping the tag out for security — but you are right, it could have done an htmlentities call on it. why don’t you just have it be “DEBUG[information]” which looks much cleaner anyway?


    I think it does not matter how the weblog is called and why the < and >-signs are used – as I told I installed it just for fun (at first).
    At all other sites (well, I haven’t found any where it isn’t yet, except Administration) that characters are converted to their XHTML-expressions, but not in Admin-Panel.

    Do you have an email-adress where I could report this?
    Sorry, I’m new to Word-Press … 🙁

    Thanks in advice 🙂

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Weblog’s title is not shown in Admin-Panel (possible XSS)’ is closed to new replies.