#22132 closed defect (bug) (invalid)
Malicious script allowed in attachment Title, Caption and Description
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.4.2 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
If you enter Javascript in the Title, Alternate Text, Caption and/or Description fields of an attachment the Edit Media and Media Library screens will properly escape and didplay it. However, the Gallery shortcode and the display page reached from the attachment's permalink do not escape these values and the script is executed.
For example, enter this in the Title field:
Title"<script>alert('Title');</script>
The double-quote terminates the text field and the script is executed.
Change History (2)
Note: See
TracTickets for help on using
tickets.
When creating this ticket, this appeared at the top of the form:
This does not appear to be a security vulnerability. See: http://codex.wordpress.org/FAQ_Security#Why_are_some_users_allowed_to_post_unfiltered_HTML.3F.
You are welcome to email us if there's more here.