[wp-testers] WP 2.1.2 Bogus Self-XSS-Injection destroys Article / Page

Mark Styles wp-testers at lambic.co.uk
Tue Mar 20 17:57:53 GMT 2007


On Tue, Mar 20, 2007 at 09:44:13AM -0700, Robin Adrianse wrote:
> On 3/20/07, Tom Klingenberg <tklingenberg at lastflood.net> wrote:
> >The following Text in Code Pane within the Editor has been changed from
> >
> ><a href="http://example.com/?page_id=4">Linktext</a>
> >to
> ><!-- a href="http://example.com/?page_id=4">Linktext</a -->
> >
> >and was then saved. Afterwards the whole Admin page ist part of your
> >editing Process... .
> 
> 
> I'm planning to attempt to see what you mean when I get around to it, but
> what do you mean...?
> 
> Maybe this problem is part of the current 2.1.3 RC as well, please check.

I tried it, and I do get something weird. Here's what I did:

Go to write page, switch to Code
enter <a href="http://example.com/?page_id=4">Linktext</a>
save the post
edit the draft, switch to Code
change the above to <!-- a href="http://example.com/?page_id=4">Linktext</a -->
save the post
edit the draft, switch to Code
now the post has changed to <!-- a href="http://example.com/?page_id=4"-->Linktext

And the post preview shows a messed up page with:

' ); function drawHTML(s) { document.write(s); } // -->

at the end.

hope that's helpful...

-- 
Mark 
http://www.lambic.co.uk



More information about the wp-testers mailing list