Opened 18 years ago
Closed 18 years ago
#3515 closed defect (bug) (fixed)
XSS through author's url in comments
Reported by: | xknown | Owned by: | |
---|---|---|---|
Milestone: | 2.0.6 | Priority: | high |
Severity: | major | Version: | 2.0.5 |
Component: | Security | Keywords: | has-patch |
Focuses: | Cc: |
Description
Due to bad validation of author's url value in comments, someone can easily inject javascript code in the href attribute:
You can try with this value in the author's url field:
javascript:alert(document.cookie);v//://
To "exploit" this bug, as you can see, it needs user (logged) interaction
PS. Sorry for my bad English
Attachments (1)
Change History (4)
Note: See
TracTickets for help on using
tickets.
Attached proto.diff which forces clean_url through wp_kses_bad_protocol with the default protocol list. E.g. if "javascript:" is the protocol it will return an empty string rather than a "sanitized" URL.
This can be applied to 2.0 and trunk.