[wp-hackers] Rethinking check_admin_referer()

Matt Mullenweg m at mullenweg.com
Wed Apr 19 18:04:28 GMT 2006

Elliotte Harold wrote:
> But is this even allowed? With the default options is it possible to put 
> a form tag (or an img or script tag) in a comment?

Of course not, but we're not talking about XSS, we're talking about CSRF.

Matt Mullenweg
  http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com

More information about the wp-hackers mailing list