Opened 2 years ago
Last modified 23 months ago
#55968 new defect (bug)
xss string to be treated as simple string
Reported by: | vibhanshujain | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Editor | Keywords: | has-patch has-unit-tests |
Focuses: | Cc: |
Description
xss string to be treated as simple string while creating a post from the Dashboard or should not be allowed to be saved as draft.
Current Behaviour:
wordpress allowed to save post as a draft with xss string however, editing of a post is not allowed.
Expected Behaviour:
Behaviour should consistent from end user perspective.
Steps To Reproduce :
Step-1: Login in WordPress 6.1
Step-2: Navigate to the Dashboard.
Step-3: Enter simple xss text for title in quick draft section
e.g: <svg onload=alert(XSS)>
Step-4: Click on Save draft to save post as draft
Step-5: Click on newly created xss titled post to edit the same.
Attachments (2)
Change History (5)
This ticket was mentioned in PR #2803 on WordPress/wordpress-develop by vjvibhanshu.
2 years ago
#1
- Keywords has-patch has-unit-tests added; needs-patch removed
Trac ticket: #55968
Test case file
xss-string.test.js
added to test the patch for ticket #55968