[wp-hackers] Rethinking check_admin_referer()

Elliotte Harold elharo at metalab.unc.edu
Wed Apr 19 17:48:07 GMT 2006

Matt Mullenweg wrote:

> This has been brought up many times before.
> <form method="post" action="http://example.com/wp-admin/delete-all.php">
>   <input type="submit" name="Submit" value="Click Here" />
>   for a free iPod!
> </form>

Personally I'm a little more likely to notice a form in a comment than a 
plain link and wonder what's it doing there. Using an image submit 
button that contains a picture of text might disguise the link a little 
more effectively.

But is this even allowed? With the default options is it possible to put 
a form tag (or an img or script tag) in a comment?

Elliotte Rusty Harold  elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!

More information about the wp-hackers mailing list