[wp-hackers] FW: Wordpress All versions XSS

Jeremy Visser jeremy.visser at gmail.com
Thu May 3 00:48:19 GMT 2007

wordpress at nazgul.nu wrote:
> <form method="get" id="searchform" action="<?php echo
> $_SERVER['PHP_SELF']; ?>">

WordPress' default theme is not vulnerable:

> <form method="get" id="searchform" action="<?php bloginfo('url'); ?>/">

Neither is classic:

> <form id="searchform" method="get" action="<?php bloginfo('home'); ?>">

Oh, by the way, which is better to get the URL from? home or url?

Jeremy Visser

()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

More information about the wp-hackers mailing list