[wp-hackers] XSS Vulnerability reported by a french geek

Mark Jaquith mark.wordpress at txfx.net
Tue May 29 16:28:02 GMT 2007

On May 29, 2007, at 12:08 PM, Rob wrote:

> I agree, but out of interest why don't we nonce comments? It seems
> like we could stop a lot of comment spam and seal up this kind of
> vulnerability if we did.
> Theme compatibility issues?

We nonce admin comments (well, comments by anyone with the  
unfiltered_html capability).  If the nonce fails or isn't there, the  
admin doesn't get to post unfiltered_html.  That is what prevents  
this POC from working.

Noncing all comments would be a club solution [1].  And it'd be  
useless against spam bots who first slurp the form (and thus the  
nonce).  The more people who had this (like, if it were in core), the  
less effective it would be.  And yes, theme compatibility would be a  
slight hurdle, though that's not the main reason.

[1] http://diveintomark.org/archives/2002/10/29/club_vs_lojack_solutions

Mark Jaquith

Covered Web Services

More information about the wp-hackers mailing list