#11932 closed defect (bug) (invalid)
Strip Shortcodes from untrusted comment authors
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 2.9.1 |
| Component: | Security | Keywords: | |
| Focuses: | Cc: |
Description
I don't know really where to post it. I don't use wordpress, I've just found xss bug in comments on my friends site. Details here:
http://wordpress.org/support/topic/353104?replies=2
BTW
I don't understand how you can make people to read this:
http://codex.wordpress.org/Submitting_Bugs
And then submit bugs using trac, which is definitely not the most intuitive software for non-developers. It is really discouraging, I guess 10% of people who want to submit a bug gets here.
Change History (5)
#3
@
13 years ago
- Milestone set to 2.9.2
- Resolution invalid deleted
- Status changed from closed to reopened
- Summary changed from kaltura-widget xss security error to Strip Shortcodes from untrusted comment authors
- Version set to 2.9.1
Re-opening this, because I think there's a genuine issue here.
We ought to strip shortcodes from comments unless they're inserted by trusted users.
#4
follow-up:
↓ 5
@
13 years ago
- Keywords xss kaltura removed
- Milestone 2.9.2 deleted
- Resolution set to invalid
- Status changed from reopened to closed
I agree with scribu on this one. shortcodes.php only hooks the_content(). Shortcodes are already ignored in all comments.
#5
in reply to:
↑ 4
@
13 years ago
Replying to miqrogroove:
I agree with scribu on this one. shortcodes.php only hooks the_content(). Shortcodes are already ignored in all comments.
By default. A plugin author can always add comments to allow their shortcode to be used there.
This trac is reserved for bugs with WordPress itself. I've replied on the topic.
Related to non-developers being able to submit bugs easily, I'm not sure that's necessarily something we want to encourage.
They should post on the support forums, from which moderators can open valid tickets.