WordPress.org

Making WordPress.org

Opened 3 weeks ago

Closed 3 weeks ago

#4788 closed defect (fixed)

Various unescaped inputs/outputs

Reported by: jonoaldersonwp Owned by:
Milestone: Priority: normal
Component: General Keywords:
Cc:

Description

It looks like we have a bunch of areas where HTML inputs aren't escaped, resulting in potential XSS and display issues.

Comments on Make posts
http://make.wordpress.org/core/2014/09/09/twenty-fifteen/
https://i.imgur.com/lW2OzVn.png

Review/forum/support content
https://wordpress.org/support/topic/bien-quelques-remarques-mineures/
https://i.imgur.com/vReAkEu.png

Change History (3)

This ticket was mentioned in Slack in #meta by jonoaldersonwp. View the logs.


3 weeks ago

#2 @Otto42
3 weeks ago

  • Priority changed from highest omg bbq to normal

The support forums have a known issue with list items being able to "break" the layout. We allow lists, but don't always properly check for UL or OL surrounding them, basically. It's a relatively minor flaw that the forum moderators know how to fix when they find it.

#3 @ocean90
3 weeks ago

  • Keywords seo security removed
  • Resolution set to fixed
  • Status changed from new to closed

Both formatting errors have been corrected.

Please keep https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/ in mind, it obviously also applies to WordPress.org.

Note: See TracTickets for help on using tickets.