#20812 closed enhancement (fixed)
Don't allow unfiltered HTML comments from a frame
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 3.3.3 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | has-patch commit |
| Focuses: | Cc: |
Description
As of #12293 we issue a X-Frame-Options header in the admin and on wp-login.php. We avoided this for the frontend, as we need to balance security and usability on this. Many sites are loaded in frames, often without the knowledge or foresight of the administrator (think Stumbleupon and other toolbars).
We have not classified the posting of a comment in itself a vulnerability, whether via CSRF or an email imposter. We guard against CSRF for unfiltered HTML. We should also guard against frames.
The attached patch also prevents a comment with unfiltered HTML when the form is loaded within a frame. It does this by using JavaScript to, under the right circumstances, rename the input nonce to the correct name. By enabling it when we are in the top frame, rather than disabling it when we are not, we prevent issues relating to a browser's reflective XSS filter being used to kill the JS. The JS has to run to make it work.
The patch also provides a basic enhancement for our kses comment filtering by allowing the post filters (wp_filter_post_kses), rather than the comment filters (wp_filter_kses), to be applied if the user has unfiltered_html. Thus, if the nonce fails in wp-comments-post.php, and we call kses_init_filters(), the Editor or Administrator will still be able to use more HTML than usual. This alleviates issues when the user is not executing JavaScript. (In 3.5, I would like to provide for post filtering for comments by any Author or above, but this is a start.)
Looks good.