[wp-trac] [WordPress Trac] #53973: WordPress <= 5.8 - Authenticated Persistent XSS (User role name)
WordPress Trac
noreply at wordpress.org
Tue Aug 24 22:32:37 UTC 2021
#53973: WordPress <= 5.8 - Authenticated Persistent XSS (User role name)
--------------------------+------------------------------
Reporter: visse | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: dev-feedback | Focuses: administration
--------------------------+------------------------------
Comment (by peterwilsoncc):
Replying to [comment:4 TobiasBg]:
> I guess it can't hurt to add some hardening in WordPress Core though. As
the User Role name should never contain HTML code, output escaping (via
`esc_html()` for example) in all places where the role name is printed is
probably the best option here. Not only would it counter all possible ways
of how the malicious HTML could be added to the database, it would also
help uncover that such code exists. So essentially, even though the user
role name is coming from the database, it would be considered as
"untrusted".
This is what the security team was considering. Where it's possible to
protect against developer mistakes, it is good to do so.
Your earlier comment is correct that it requires PHP so if a developer
wishes to act maliciously they can. This is simply to protect against
developers being absent minded rather than traditional malware.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53973#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list