Title: [Plugin: Dashboard Post-it] HTML injection
Last modified: August 19, 2016

---

# [Plugin: Dashboard Post-it] HTML injection

 *  Resolved [theresa95](https://wordpress.org/support/users/theresa95/)
 * (@theresa95)
 * [15 years, 2 months ago](https://wordpress.org/support/topic/plugin-dashboard-post-it-html-injection/)
 * filtering fone in function dashboard_postit_Setup never uses $newoptions variable
   allowing HTML injection by unatuhorized users

Viewing 2 replies - 1 through 2 (of 2 total)

 *  Thread Starter [theresa95](https://wordpress.org/support/users/theresa95/)
 * (@theresa95)
 * [15 years, 2 months ago](https://wordpress.org/support/topic/plugin-dashboard-post-it-html-injection/#post-2007653)
 * for reference here is the funtion body in question.
 * if ( ‘post’ == strtolower($_SERVER[‘REQUEST_METHOD’]) && isset( $_POST[‘widget_id’])&&‘
   dashboard_postit’ == $_POST[‘widget_id’] ) {
    foreach ( array( ‘pi_title’, ‘pi_text’)
   as $key ) $options[$key] = stripslashes($_POST[$key]); if ( !current_user_can(‘
   unfiltered_html’) ) $newoptions[‘text’] = stripslashes(wp_filter_post_kses($newoptions[‘
   text’])); // This should take care of HTML permissions. update_option( ‘dashboard_postit’,
   $options ); }
 *  Plugin Author [Mark](https://wordpress.org/support/users/codeispoetry/)
 * (@codeispoetry)
 * [15 years, 1 month ago](https://wordpress.org/support/topic/plugin-dashboard-post-it-html-injection/#post-2007988)
 * Thank you. Since there is no way to edit the dashboard widget unless you can 
   edit_options, I consider this low priority — with edit_options capabilities you
   can do much more dangerous stuff than an HTML injection in an obscure Dashboard
   plugin.
 * If anyone’s willing to take over the development on this one though I would consider
   it. I simply lack the time to write any code these days.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘[Plugin: Dashboard Post-it] HTML injection’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/dashboard-post-it.svg)
 * [Dashboard Post-it](https://wordpress.org/plugins/dashboard-post-it/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/dashboard-post-it/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/dashboard-post-it/)
 * [Active Topics](https://wordpress.org/support/plugin/dashboard-post-it/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/dashboard-post-it/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/dashboard-post-it/reviews/)

 * 2 replies
 * 2 participants
 * Last reply from: [Mark](https://wordpress.org/support/users/codeispoetry/)
 * Last activity: [15 years, 1 month ago](https://wordpress.org/support/topic/plugin-dashboard-post-it-html-injection/#post-2007988)
 * Status: resolved