[wp-hackers] FW: Wordpress All versions XSS

Robin Adrianse robin.adr at gmail.com
Thu May 3 00:55:59 GMT 2007


We deprecated "home" a while back, and now it's "url" for the homepage and
"wpurl" for the WP installation.

On 5/2/07, Jeremy Visser <jeremy.visser at gmail.com> wrote:
>
> wordpress at nazgul.nu wrote:
> > <form method="get" id="searchform" action="<?php echo
> > $_SERVER['PHP_SELF']; ?>">
>
> WordPress' default theme is not vulnerable:
>
> > <form method="get" id="searchform" action="<?php bloginfo('url'); ?>/">
>
> Neither is classic:
>
> > <form id="searchform" method="get" action="<?php bloginfo('home'); ?>">
>
> Oh, by the way, which is better to get the URL from? home or url?
>
> --
> Jeremy Visser
>
> ()  ascii ribbon campaign - against html e-mail
> /\  www.asciiribbon.org   - against proprietary attachments
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list