Mask HTML output in _wp_dashboard_recent_comments_row()
|Reported by:||mastermind||Owned by:||ryan|
|Component:||Security||Keywords:||has-patch tested commit|
In _wp_dashboard_recent_comments_row(), dashboard.php, the post_title of a post is printed as in the database. HTML special characters are not masked.
Luckily, with WP 2.7+ and PHP 5.2+, the auth cookies are HttpOnly. But they aren't on older setups, and there are enough other nasty XSS attacks (e.g. in conjunction with Social Engineering), which can make this potentially dangerous.
- To be sure that the comment with the accoring post_title is shown in the dashboard, leave a comment
- Go to the admin dashboard.
In dashboard.php:483, change:
$comment_post_title = get_the_title( $comment->comment_post_ID );
$comment_post_title = htmlspecialchars( get_the_title( $comment->comment_post_ID ) );