Make WordPress Core

Opened 15 years ago

Closed 15 years ago

Last modified 15 years ago

#11932 closed defect (bug) (invalid)

Strip Shortcodes from untrusted comment authors

Reported by: kdzwinel's profile kdzwinel Owned by: ryan's profile ryan
Milestone: Priority: normal
Severity: normal Version: 2.9.1
Component: Security Keywords:
Focuses: Cc:

Description

I don't know really where to post it. I don't use wordpress, I've just found xss bug in comments on my friends site. Details here:

http://wordpress.org/support/topic/353104?replies=2

BTW
I don't understand how you can make people to read this:
http://codex.wordpress.org/Submitting_Bugs
And then submit bugs using trac, which is definitely not the most intuitive software for non-developers. It is really discouraging, I guess 10% of people who want to submit a bug gets here.

Change History (5)

#1 @scribu
15 years ago

  • Milestone Unassigned deleted

This trac is reserved for bugs with WordPress itself. I've replied on the topic.

Related to non-developers being able to submit bugs easily, I'm not sure that's necessarily something we want to encourage.

They should post on the support forums, from which moderators can open valid tickets.

#2 @scribu
15 years ago

  • Resolution set to invalid
  • Status changed from new to closed

#3 @Denis-de-Bernardy
15 years ago

  • Milestone set to 2.9.2
  • Resolution invalid deleted
  • Status changed from closed to reopened
  • Summary changed from kaltura-widget xss security error to Strip Shortcodes from untrusted comment authors
  • Version set to 2.9.1

Re-opening this, because I think there's a genuine issue here.

We ought to strip shortcodes from comments unless they're inserted by trusted users.

#4 follow-up: @miqrogroove
15 years ago

  • Keywords xss kaltura removed
  • Milestone 2.9.2 deleted
  • Resolution set to invalid
  • Status changed from reopened to closed

I agree with scribu on this one. shortcodes.php only hooks the_content(). Shortcodes are already ignored in all comments.

#5 in reply to: ↑ 4 @ShaneF
15 years ago

Replying to miqrogroove:

I agree with scribu on this one. shortcodes.php only hooks the_content(). Shortcodes are already ignored in all comments.

By default. A plugin author can always add comments to allow their shortcode to be used there.

Note: See TracTickets for help on using tickets.