WordPress.org

Make WordPress Core

Opened 23 months ago

Closed 23 months ago

Last modified 22 months ago

#20812 closed enhancement (fixed)

Don't allow unfiltered HTML comments from a frame

Reported by: nacin Owned by: ryan
Milestone: 3.3.3 Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch commit
Focuses: Cc:

Description

As of #12293 we issue a X-Frame-Options header in the admin and on wp-login.php. We avoided this for the frontend, as we need to balance security and usability on this. Many sites are loaded in frames, often without the knowledge or foresight of the administrator (think Stumbleupon and other toolbars).

We have not classified the posting of a comment in itself a vulnerability, whether via CSRF or an email imposter. We guard against CSRF for unfiltered HTML. We should also guard against frames.

The attached patch also prevents a comment with unfiltered HTML when the form is loaded within a frame. It does this by using JavaScript to, under the right circumstances, rename the input nonce to the correct name. By enabling it when we are in the top frame, rather than disabling it when we are not, we prevent issues relating to a browser's reflective XSS filter being used to kill the JS. The JS has to run to make it work.

The patch also provides a basic enhancement for our kses comment filtering by allowing the post filters (wp_filter_post_kses), rather than the comment filters (wp_filter_kses), to be applied if the user has unfiltered_html. Thus, if the nonce fails in wp-comments-post.php, and we call kses_init_filters(), the Editor or Administrator will still be able to use more HTML than usual. This alleviates issues when the user is not executing JavaScript. (In 3.5, I would like to provide for post filtering for comments by any Author or above, but this is a start.)

Attachments (1)

20812.diff (2.1 KB) - added by nacin 23 months ago.

Download all attachments as: .zip

Change History (5)

nacin23 months ago

comment:1 ryan23 months ago

Looks good.

comment:2 ryan23 months ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In [20974]:

Don't allow unfiltered HTML comments from a frame. Props nacin. fixes #20812

comment:3 nacin22 months ago

In [21082]:

Don't allow unfiltered HTML comments from a frame. fixes #20812 for the 3.3 branch.

comment:4 nacin22 months ago

  • Milestone changed from 3.4 to 3.3.3
Note: See TracTickets for help on using tickets.