WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#43027 closed enhancement (wontfix)

Class comment-author-$login uses login, why not ID

Reported by: webliberty Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Comments Keywords: close
Focuses: template Cc:

Description

Login to the administrator console requires entering a login and password. If the comment contains a class with a login, then the attacker can only pick up the password, because login is already known.

Why not replace the login to ID or nickname?

Change History (3)

#1 @swissspidy
2 years ago

  • Keywords close added

Disclosing usernames is not a security issue, see https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue.

Also worth noting that usernames are displayed in many more locations, not just this HTML class. Only changing it in one place doesn't make sense. Plus, there are themes that use comment-author-$login for styling or other purposes. We can't just remove that, otherwise we break these themes.

#2 @webliberty
2 years ago

Got it. Agree, for styling is quite suitable and comment-author-$ID.

Knowing the login, it's easier to pick up the password by searching, using the dictionary. I hope in the future you will be able to return to this question and reconsider your point of view.

#3 @johnbillion
2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.