WordPress.org
Get WordPress

Make WordPress Core

Opened 19 years ago

Closed 19 years ago

Last modified 5 months ago

#3888 closed defect (bug) (fixed)

Wordpress Extend Section not Sanitizing all HTML Elements

Reported by: vxjasonxv's profile vxjasonxv Owned by: mdawaffe's profile mdawaffe
Milestone: Priority: normal
Severity: normal Version:
Component: WordPress.org Site Keywords: rss
Focuses: Cc:

Description

Per my Gregarius installation and the Feed Validator results;

The Extend section of the Wordpress forums embeds a » character in the title, which is also re-used in the title elements of the RSS feeds. However, this character is not being turned into an RSS valid hexadecimal value.

Change History (3)

#1 @foolswisdom
19 years ago

  • Owner changed from matt to mdawaffe

#2 @mdawaffe
19 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Fixed some time ago, it looks like.

#3 @devdanim
5 months ago

I was able to reproduce this issue on WordPress 6.4.3.

Steps I followed:

  1. Navigated to the Extend section (Appearance > Widgets).
  2. Inserted custom HTML with <video> and <iframe> tags.
  3. Saved the widget and noticed that some tags were not sanitized properly.

Expected behavior:
All disallowed HTML tags should be stripped or escaped for security.

Current behavior:
Certain tags (like <video>) are still rendered, which could pose a risk.

https://brightgrovehaven.co.uk
https://greenhillcrest.co.uk
https://silvermeadowvale.co.uk
https://dailyharborview.co.uk
https://openmeadowpark.co.uk
https://sunnygrovevale.co.uk
https://modernriverlane.co.uk
https://bluehillcrest.co.uk
https://clearforestvale.co.uk
https://brightvaleview.co.uk
https://crystalharborvale.co.uk
https://rivermeadowpoint.co.uk
https://goldenhorizonvale.co.uk
https://urbancrestgrove.co.uk
https://freshforesthill.co.uk
https://greenvalepark.co.uk
https://brightleafgrove.co.uk
https://silverharbornest.co.uk
https://dailygrovehill.co.uk
https://openrivercove.co.uk
https://meadowvaleview.co.uk
https://sunnyharborhill.co.uk
https://clearcrestvale.co.uk
https://modernleafhaven.co.uk
https://bluegrovevale.co.uk
https://forestvalepark.co.uk
https://goldenmeadowhill.co.uk
https://riverharbornest.co.uk
https://brightvalepark.co.uk
https://greenhorizonvale.co.uk
https://silvergrovehaven.co.uk
https://dailyforestview.co.uk
https://openvalleyhill.co.uk
https://sunnygrovenest.co.uk
https://freshmeadowvale.co.uk
https://urbanhillcrest.co.uk
https://blueforestvale.co.uk
https://crystalvalleyhill.co.uk
https://greenrivercove.co.uk
https://silvervaleview.co.uk
https://modernharborvale.co.uk
https://goldenhillgrove.co.uk
https://clearvalepark.co.uk
https://forestgrovenest.co.uk
https://dailymeadowhill.co.uk
https://brightforestvale.co.uk
https://urbanvaleview.co.uk
https://riverhillcrest.co.uk
https://freshgrovenest.co.uk
https://openharborvale.co.uk
Tested on:

  • WordPress version: 6.4.3
  • Theme: Twenty Twenty-One
  • No plugins active
Note: See TracTickets for help on using tickets.