Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#43021 closed defect (bug) (invalid)

Menu item titles allow arbitrary HTML and script tags

Reported by: foobuilder's profile foobuilder Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.9.1
Component: Menus Keywords:
Focuses: Cc:


WordPress allows menu titles to contain arbitrary HTML and script tags. It looks like the titles are not sanitized to remove unsafe HTML when saved, and then not escaped on output. Screenshots attached.

Attachments (3)

Change History (7)

#1 @danieltj
6 years ago

  • Keywords close added
  • Resolution set to invalid
  • Status changed from new to closed

This is by design. On single sites, admins and editors have the capability to post unfiltered HTML in various places within the WordPress dashboard (including comment replies etc). In multi-sites, only super admins can post unfiltered HTML. Here is a link to the Codex about the capability.

Thanks for reporting this though. In future, any potential security reports should be posted to HackerOne.

Last edited 6 years ago by danieltj (previous) (diff)

#2 @netweb
6 years ago

  • Keywords close removed
  • Milestone Awaiting Review deleted

#4 @foobuilder
6 years ago

Got it! Thank you both for clarifying. Sorry for the bad ticket.

Note: See TracTickets for help on using tickets.