Self XSS possible in admin-area list-table Forum description

[johnjamesjacoby]

When a user with the unfiltered_html capability (Admin or Editor role, traditionally) enters a Forum description via WordPress Admin, their HTML is rendered raw inside the admin-area list-table UI.

I'm considering this not to be a security issue, as privileged users (Admins, Editors, Keymasters, and Moderators) are trusted to understand the consequences of actions such as this one. In this case, they would already have access to these admin-area screens and form fields, and are trusted to modify them.

That being said, this behavior does not match how other admin-area list-tables behave – they intentionally escape this content in an excerpt format, so Forums should as well.

This finding was reported to the WordPress Security Team through the HackerOne bug bounty program.

Patch imminent.

[johnjamesjacoby]

Escape & excerpt Forum description in admin-area list-table

[johnjamesjacoby]

In 7084:

Forums: Escape forum descriptions in admin-area list tables.

This commit ensures that HTML is not rendered where it is not intended to be, most important to users having the unfiltered_html capability.

Props binit.

In trunk, for 2.7.0.

See #3374.

[johnjamesjacoby]

In 7085:

Forums: Escape forum descriptions in admin-area list tables.

This commit ensures that HTML is not rendered where it is not intended to be, most important to users having the unfiltered_html capability.

Props binit.

In branches/2.6, for 2.6.5.

See #3374.

[johnjamesjacoby]

Fixed in 2.6.5.