Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerabilities Found in WordPress Blogging Tool

Posted by michael on Friday October 1, 2004 @09:26AM from the say-it-ain't-so dept.

ZuperDee writes "According to this Netcraft article, 'Security vulnerabilities have been found in WordPress, the popular PHP-based open source blogging application. Some scripts in WordPress are not properly validated, leaving the program open to cross-site scripting (XSS) attacks in which third parties could insert content into a WordPress-driven site.'"

2 of 12 comments (clear)

Min score:

Reason:

Sort:

Stupid design. That's what it is. by Spy+der+Mann · 2004-10-01 09:58 · Score: 2, Insightful

As a web developer, I _ALWAYS_ escape my output, and _ALWAYS_ preprocess my input.

No input ever goes unfiltered either way. Anyone with some experience on multi-tier programming should know this.

Now the problem with content-management systems is, we need a _GOOD_ wysiwyg editor with filtering capabilities.

i.e. make the thing output XML. Then use your favorite XSLT stylesheet to filter it.

Oh well...
Re:all output should be HTML-escaped by default by Anonymous Coward · 2004-10-01 23:40 · Score: 1, Insightful
As a reminder, these are the entities that should be used. No other substitutions are needed.
- < - <
- > - >
- " - "
- ' - '
You forgot "& - &".

(Even though you probably had to type it four times to get that list - !)