[wp-hackers] Rethinking check_admin_referer()

David House dmhouse at gmail.com
Tue Apr 18 21:30:44 GMT 2006

On 18/04/06, Michael D. Adams <mikea at turbonet.com> wrote:
> Have you tried this?  KSES should filter out IMGs from users that don't
> have the unfiltered_html capability.

Good point, I figured img was among the allowed tags, but apparently not.

> Regardless, the draft issue mentioned previously [1] is still there.  As
> mentioned by others, we should POST.

Yes, and also non-registered users could provide a link like "Great
post, here's [my response]", which links to a redirecting site. An
unwitting admin would click it and it's the same flaw.

-David House, dmhouse at gmail.com, http://xmouse.ithium.net

More information about the wp-hackers mailing list