#43021 closed defect (bug) (invalid)
Menu item titles allow arbitrary HTML and script tags
Reported by: | foobuilder | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.9.1 |
Component: | Menus | Keywords: | |
Focuses: | Cc: |
Description
WordPress allows menu titles to contain arbitrary HTML and script tags. It looks like the titles are not sanitized to remove unsafe HTML when saved, and then not escaped on output. Screenshots attached.
Attachments (3)
Change History (7)
Note: See
TracTickets for help on using
tickets.
This is by design. On single sites, admins and editors have the capability to post unfiltered HTML in various places within the WordPress dashboard (including comment replies etc). In multi-sites, only super admins can post unfiltered HTML. Here is a link to the Codex about the capability.
Thanks for reporting this though. In future, any potential security reports should be posted to HackerOne.