#58227 closed defect (bug) (invalid)
JavaScript can be entered as an image description
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | Media | Keywords: | 2nd-opinion |
| Focuses: | Cc: |
Description
Editing an image (didn't try other media) in WordPress like on [...]/wp-admin/post.php?post=[...]&action=edit
you are able to enter JavaScript in the 'Description' field. You don't have to be admin for that. I first reported this on hackerone and they did let me know there do not appear to be any security implications as a direct result of this behavior. It still shouldn't be possible, if you ask me. Once entered, opening the media url will run the script, even if not logged in at all. So for example you can load an external JS-file this way.
I wonder why TinyMCE doesn't filter it out there, btw.
Example:
<script>
alert("this is a description, let's load something..");
function loadSomething() {
var script = document.createElement('script');
script.src = 'https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js';
var head = document.getElementsByTagName("head")[0];
head.appendChild(script);
}
loadSomething();
</script>
Change History (7)
#2
follow-up:
↓ 4
@
3 years ago
Ok, as an author it will be stripped. But why should it be allowed for an editor to enter JS there? I don't see why an image description should hold any JS at all.
#3
@
3 years ago
- Keywords 2nd-opinion added; reporter-feedback removed
This is allowed because Editors and Administrators (on non-Multisite installations) have the unfiltered_html user capability, which is the same reason they can enter JavaScript into post content.
I agree that it makes little sense to allow JavaScript in this field. It would be a breaking change to disallow it, so we'd need to consider if there really is a use case to allow JavaScript here.
#4
in reply to:
↑ 2
@
3 years ago
Replying to Presskopp:
But why should it be allowed for an editor to enter JS there?
Because the Editor is the most powerful user of the site. They're there to edit the content. They need the ability to edit the content to anything they want. That's their job.
A lot of people get confused because they think that it's a hierarchy from Admin all the way down to Subscriber. It's not. Admins are not above editors. They're on an equal level. Admins have more ability to manage the site, but from the terms of being able to post content, they're absolutely equals with Editor.
Think of it like The Daily Planet. You have Clark Kent and Lois Lane. They are authors. You have Jimmy Olsen, who's a lowly contributor. Submitting his photos, but not being able to caption them the way he likes. And then you have Perry White. He's the editor, the man in charge. He makes the final decision about what appears in the paper or does not. Or does he?
Down in the bowels of the building, the guy workin on the printing press and typesetting everything is the true man in charge. He fixes the printing press when it is broken. He handles the typesetting. And by extension, he could, in theory, put anything he wanted into the paper. He might not have a job tomorrow, but he could. This is the true most powerful person in the building... excluding Clark. This is the admin. He has this power because he needs this power to fix problems. In the end, there is always someone who wields ultimate power, because there must be.
However, the editor is in charge during normal operation. He decides what is printed in the paper. Or, in this case, on the website. I don't think the analogy fully extends to javascript code, but you use whatever you want there. And you can make the case that such script code is not needed for descriptions, but then you always run into cases where, if you turn it off, people are going to complain because it breaks their site. Somebody is always doing things weirdly.
@Presskopp Thank you very much for the report. Are you able to replicate this with an Author level user on a vanilla site with no plugins installed and one of the Twenty themes in use?
In testing on my local, an Editor or Administrator can indeed enter JavaScript here which is to be expected. When an Author level user enters JavaScript, it gets stripped out when the post is saved, which is to be expected. I tried this both on the attachment editing screen and in the media manager grid view.