WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#42964 closed defect (bug) (invalid)

Vuln Javascript with admin

Reported by: trungnd51 Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.9.1
Component: General Keywords:
Focuses: Cc:

Description

Hi
I have read this:
https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html

It say that i can disallow unfiltered HTML for all users, including administrators
But admin still can post XSS on comment
Is this a bug?
https://imgur.com/okS89Lr

Attachments (1)

Capture.PNG (26.5 KB) - added by trungnd51 3 years ago.

Download all attachments as: .zip

Change History (2)

@trungnd51
3 years ago

#1 @dd32
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi @trungnd51,

You'll need to insert the define( 'DISALLOW_UNFILTERED_HTML', true ); line above the line which reads That's all, Stop editing! for it to take effect.
Currently it's being defined effectively after WodPress is run.

Next, in future, please take note of the warnings before submitting an issue to trac, you would've triggered a warning about not submitting potential security vulnerabilities here, thankfully this isn't one, however in future please follow the steps in the link you posted on how to submit a security issue.

Note: See TracTickets for help on using tickets.