[Plugin: Live Comment Preview] Xss in 2.0.1 | ww.wp.xz.cn

Resolved Busindre
(@busindre)

14 years, 3 months ago

Hi Brad.
HTML tags are not stripped from the preview in field “Name” and “Web site”. I think that HTML tags should not be allowed.

Xss example: <iframe src="http://ha.ckers.org/scriptlet.html">
Thank you.

http://ww.wp.xz.cn/extend/plugins/live-comment-preview/

Viewing 1 replies (of 1 total)

Plugin Author Brad Touesnard
(@bradt)

13 years, 5 months ago

Before the quote appears on the site for everyone else, it is run through the usual server-side filters to strip tags and whatever else is usually done. Yes, the user could inject an iframe or whatever other HTML they like on their own screen, but it will be stripped when they submit their comment and will not show up for others. Therefore, it’s not an XSS vulnerability.

Viewing 1 replies (of 1 total)

The topic ‘[Plugin: Live Comment Preview] Xss in 2.0.1’ is closed to new replies.

1 reply
2 participants
Last reply from: Brad Touesnard
Last activity: 13 years, 5 months ago
Status: resolved