[wp-hackers] Rethinking check_admin_referer()

Elliotte Harold elharo at metalab.unc.edu
Wed Apr 19 18:46:19 GMT 2006

Matt Mullenweg wrote:
> Elliotte Harold wrote:
>> But is this even allowed? With the default options is it possible to 
>> put a form tag (or an img or script tag) in a comment?
> Of course not, but we're not talking about XSS, we're talking about CSRF.

OK, so the problem is that someone puts a form/link/img on another site 
whose action indicates deleting an article on my site? The they have to 
get me to go there and click it somehow? Am I understanding this?

Elliotte Rusty Harold  elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!

More information about the wp-hackers mailing list