id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
10751	kses filter fields when displaying	ryan	ryan	Currently, some DB fields are trusted when being displayed.  Usually this is fine since everything is run through kses upon save. However, some recent attacks have manipulated DB values to cover their tracks, making DB information untrustworthy.  Where possible, we should run values through kses not just upon save, but upon display as well. This would thwart the recent example where the first_name field was modified to contain JS that hid a bogus admin user.	defect (bug)	closed	normal	2.9	Security		normal	fixed	has-patch