[wp-hackers] Security at Wordpress

Elliotte Harold elharo at metalab.unc.edu
Mon Apr 24 13:16:58 GMT 2006


Andy Skelton wrote:

> Still, if you removed the ability to do everything via GET, how am I
> going to approve comments from my email with a single click, assuming
> I don't allow HTML in my emails? I think that's the actual bar. It may
> be unreasonable from a pure security standpoint but the convenience is
> more routinely visible than the security.

Comments shouldn't be approved via GET, especially given the active and 
growing attacks by comment spammers. Even without those leeches to worry 
about, some mail clients including GMail will automatically approve all 
such comments. See

http://cafe.elharo.com/web/rest-mistake-1-confirming-gets/

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
http://www.cafeconleche.org/books/xian3/
http://www.amazon.com/exec/obidos/ISBN=0596007647/cafeaulaitA/ref=nosim


More information about the wp-hackers mailing list