Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#20812 closed enhancement (fixed)

Don't allow unfiltered HTML comments from a frame

Reported by: nacin's profile nacin Owned by: ryan's profile ryan
Milestone: 3.3.3 Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch commit
Focuses: Cc:


As of #12293 we issue a X-Frame-Options header in the admin and on wp-login.php. We avoided this for the frontend, as we need to balance security and usability on this. Many sites are loaded in frames, often without the knowledge or foresight of the administrator (think Stumbleupon and other toolbars).

We have not classified the posting of a comment in itself a vulnerability, whether via CSRF or an email imposter. We guard against CSRF for unfiltered HTML. We should also guard against frames.

The attached patch also prevents a comment with unfiltered HTML when the form is loaded within a frame. It does this by using JavaScript to, under the right circumstances, rename the input nonce to the correct name. By enabling it when we are in the top frame, rather than disabling it when we are not, we prevent issues relating to a browser's reflective XSS filter being used to kill the JS. The JS has to run to make it work.

The patch also provides a basic enhancement for our kses comment filtering by allowing the post filters (wp_filter_post_kses), rather than the comment filters (wp_filter_kses), to be applied if the user has unfiltered_html. Thus, if the nonce fails in wp-comments-post.php, and we call kses_init_filters(), the Editor or Administrator will still be able to use more HTML than usual. This alleviates issues when the user is not executing JavaScript. (In 3.5, I would like to provide for post filtering for comments by any Author or above, but this is a start.)

Attachments (1)

20812.diff (2.1 KB) - added by nacin 12 years ago.

Download all attachments as: .zip

Change History (5)

12 years ago

#1 @ryan
12 years ago

Looks good.

#2 @ryan
12 years ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In [20974]:

Don't allow unfiltered HTML comments from a frame. Props nacin. fixes #20812

#3 @nacin
12 years ago

In [21082]:

Don't allow unfiltered HTML comments from a frame. fixes #20812 for the 3.3 branch.

#4 @nacin
12 years ago

  • Milestone changed from 3.4 to 3.3.3
Note: See TracTickets for help on using tickets.