Make WordPress Core

Opened 2 years ago

Last modified 20 months ago

#55968 new defect (bug)

xss string to be treated as simple string

Reported by: vibhanshujain's profile vibhanshujain Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Editor Keywords: has-patch has-unit-tests
Focuses: Cc:


xss string to be treated as simple string while creating a post from the Dashboard or should not be allowed to be saved as draft.

Current Behaviour:
wordpress allowed to save post as a draft with xss string however, editing of a post is not allowed.

Expected Behaviour:
Behaviour should consistent from end user perspective.

Steps To Reproduce :
Step-1: Login in WordPress 6.1
Step-2: Navigate to the Dashboard.
Step-3: Enter simple xss text for title in quick draft section

e.g: <svg onload=alert(XSS)>

Step-4: Click on Save draft to save post as draft
Step-5: Click on newly created xss titled post to edit the same.

Attachments (2)

draftTitlepost.png (137.2 KB) - added by vibhanshujain 2 years ago.
xss titled drafted post
openDraft.png (67.5 KB) - added by vibhanshujain 2 years ago.
edit xss titled post

Download all attachments as: .zip

Change History (5)

This ticket was mentioned in PR #2803 on WordPress/wordpress-develop by vjvibhanshu.

2 years ago

  • Keywords has-patch has-unit-tests added; needs-patch removed

Trac ticket: #55968
Test case file xss-string.test.js added to test the patch for ticket #55968

2 years ago

xss titled drafted post

2 years ago

edit xss titled post

This ticket was mentioned in Slack in #core by desrosj. View the logs.

20 months ago

#3 @desrosj
20 months ago

  • Component changed from Posts, Post Types to Editor
  • Version 6.1 deleted
Note: See TracTickets for help on using tickets.