WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#11932 closed defect (bug) (invalid)

Strip Shortcodes from untrusted comment authors

Reported by: kdzwinel Owned by: ryan
Milestone: Priority: normal
Severity: normal Version: 2.9.1
Component: Security Keywords:
Focuses: Cc:

Description

I don't know really where to post it. I don't use wordpress, I've just found xss bug in comments on my friends site. Details here:

http://wordpress.org/support/topic/353104?replies=2

BTW
I don't understand how you can make people to read this:
http://codex.wordpress.org/Submitting_Bugs
And then submit bugs using trac, which is definitely not the most intuitive software for non-developers. It is really discouraging, I guess 10% of people who want to submit a bug gets here.

Change History (5)

comment:1 scribu4 years ago

  • Milestone Unassigned deleted

This trac is reserved for bugs with WordPress itself. I've replied on the topic.

Related to non-developers being able to submit bugs easily, I'm not sure that's necessarily something we want to encourage.

They should post on the support forums, from which moderators can open valid tickets.

comment:2 scribu4 years ago

  • Resolution set to invalid
  • Status changed from new to closed

comment:3 Denis-de-Bernardy4 years ago

  • Milestone set to 2.9.2
  • Resolution invalid deleted
  • Status changed from closed to reopened
  • Summary changed from kaltura-widget xss security error to Strip Shortcodes from untrusted comment authors
  • Version set to 2.9.1

Re-opening this, because I think there's a genuine issue here.

We ought to strip shortcodes from comments unless they're inserted by trusted users.

comment:4 follow-up: miqrogroove4 years ago

  • Keywords xss kaltura removed
  • Milestone 2.9.2 deleted
  • Resolution set to invalid
  • Status changed from reopened to closed

I agree with scribu on this one. shortcodes.php only hooks the_content(). Shortcodes are already ignored in all comments.

comment:5 in reply to: ↑ 4 ShaneF4 years ago

Replying to miqrogroove:

I agree with scribu on this one. shortcodes.php only hooks the_content(). Shortcodes are already ignored in all comments.

By default. A plugin author can always add comments to allow their shortcode to be used there.

Note: See TracTickets for help on using tickets.