Skip to:
Content

bbPress.org

Opened 11 years ago

Closed 11 years ago

#1525 closed defect (bug) (invalid)

bbP Plugin: Any Javascript posted to the forum is executed.

Reported by: tooltrainer Owned by:
Milestone: 2.0 Priority: omg sweet tea
Severity: blocker Version: 1.0-alpha-2
Component: Component - Replies Keywords: javascript
Cc:

Description

I can post this in any topic description or reply and it will be executed when the page is loaded:

<script type='text/javascript'>
location.href='http://google.com';
</script>

Really scary, means users can hijack the site or do many other bad bad things.

Change History (1)

#1 @johnjamesjacoby
11 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Not a bug. You have the unfiltered_html capability because you are a site admin. In the future please refrain from posting any possible security vulnerabilities publicly, and instead reference the Security FAQ over at WordPress.org:

http://codex.wordpress.org/Security_FAQ

Note: See TracTickets for help on using tickets.