[wp-trac] [WordPress Trac] #40740: Script tag accepting in comment section so we can break the page using script tag.

WordPress Trac noreply at wordpress.org
Fri May 12 05:34:40 UTC 2017 

#40740: Script tag accepting in comment section so we can break the page using
script tag.
--------------------------+----------------------
 Reporter:  jitheshkk     |       Owner:
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  General       |     Version:  4.7.4
 Severity:  normal        |  Resolution:  invalid
 Keywords:                |     Focuses:
--------------------------+----------------------
Changes (by dd32):

 * status:  new => closed
 * resolution:   => invalid
 * milestone:  Awaiting Review =>


Old description:

> Script tags are accepting in comment box here is the example i placed
> below code in comment box and submitted then page goes to blank.Here is
> my code
> <!-- Code comment --!>
> <script>
> console.log('test');
> document.body.innerHTML ='';
> </script>

New description:

 Script tags are accepting in comment box here is the example i placed
 below code in comment box and submitted then page goes to blank.Here is my
 code
 {{{
 <!-- Code comment --!>
 <script>
 console.log('test');
 document.body.innerHTML ='';
 </script>
 }}}

--

Comment:

 Hi @jitheshkk and welcome to Trac,

 It appears that you're posting a comment as a user who is trusted to post
 arbitrary HTML (users with the Administrator (and possibly Editor) role by
 default). The javascript you're posting specifically removes all the HTML
 in the page, which would result in a blank page.

 This is often reported as a security vulnerability, if that's your
 intention, this was the wrong location to post it. Please see the
 directions for [https://make.wordpress.org/core/handbook/testing
 /reporting-security-vulnerabilities/#where-do-i-report-security-issues
 reporting a security vulnerability here].

 `unfiltered_html` (which allows you to post the javascript) also has a
 specific call out on the before mentioned page:
 https://make.wordpress.org/core/handbook/testing/reporting-security-
 vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40740#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list