[wp-hackers] Rethinking check_admin_referer()
elharo at metalab.unc.edu
Wed Apr 19 18:46:19 GMT 2006
Matt Mullenweg wrote:
> Elliotte Harold wrote:
>> But is this even allowed? With the default options is it possible to
>> put a form tag (or an img or script tag) in a comment?
> Of course not, but we're not talking about XSS, we're talking about CSRF.
OK, so the problem is that someone puts a form/link/img on another site
whose action indicates deleting an article on my site? The they have to
get me to go there and click it somehow? Am I understanding this?
Elliotte Rusty Harold elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
More information about the wp-hackers