[wp-hackers] Rethinking check_admin_referer()

Robert Deaton false.hopes at gmail.com
Wed Apr 19 18:50:18 GMT 2006

On 4/19/06, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> Matt Mullenweg wrote:
> > Elliotte Harold wrote:
> >> But is this even allowed? With the default options is it possible to
> >> put a form tag (or an img or script tag) in a comment?
> >
> > Of course not, but we're not talking about XSS, we're talking about CSRF.
> >
> OK, so the problem is that someone puts a form/link/img on another site
> whose action indicates deleting an article on my site? The they have to
> get me to go there and click it somehow? Am I understanding this?

Yes, and thus the "edge case" description.

--Robert Deaton

More information about the wp-hackers mailing list