[wp-hackers] FW: Wordpress All versions XSS

Chris chris.hearn01 at ntlworld.com
Thu May 3 10:12:23 GMT 2007


Although I think the default sidebar code still does contain several 
references to bloginfo('home')...along the lines of

<p>You are currently browsing the <a href="<?php bloginfo('home');

Chris


Robin Adrianse wrote:
> We deprecated "home" a while back, and now it's "url" for the homepage 
> and
> "wpurl" for the WP installation.
>
> On 5/2/07, Jeremy Visser <jeremy.visser at gmail.com> wrote:
>>
>> wordpress at nazgul.nu wrote:
>> > <form method="get" id="searchform" action="<?php echo
>> > $_SERVER['PHP_SELF']; ?>">
>>
>> WordPress' default theme is not vulnerable:
>>
>> > <form method="get" id="searchform" action="<?php bloginfo('url'); 
>> ?>/">
>>
>> Neither is classic:
>>
>> > <form id="searchform" method="get" action="<?php bloginfo('home'); 
>> ?>">
>>
>> Oh, by the way, which is better to get the URL from? home or url?
>>
>> -- 
>> Jeremy Visser
>>
>> ()  ascii ribbon campaign - against html e-mail
>> /\  www.asciiribbon.org   - against proprietary attachments
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list