Users without unfiltered_html capability can post arbitrary html
|Reported by:||xknown||Owned by:|
The user only needs to tamper data sent to post.php or page.php and add a field named no_filter with any value.
Change History (15)
- Keywords has-patch added
- Priority changed from normal to high
- Severity changed from normal to major
- Milestone 2.2.3 deleted
- Resolution set to invalid
- Status changed from new to closed
- Milestone set to 2.2.3
- Resolution invalid deleted
- Status changed from closed to reopened
- Version set to 2.2.2
Note: See TracTickets for help on using tickets.