Comments (6)
I replied to this on my email before.
I will not consider that an actual XSS.
That is by design.
Only admin have access to add poll and they can add any HTML inside the poll fields.
Just like you can have alert(1) within the WP post text field as well.
You can check out the code here https://github.com/lesterchan/wp-polls/blob/master/wp-polls.php#L1802-L1805 that assigns manage_polls to admin only
from wp-polls.
Hi,
Don't admit your mistake. sanitize, filtering can be applied. If you have a situation like that, that is caused by the theme developer. The end user can never be trusted.
Unreasonable to put HTML into the fields except the description field.
https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data
from wp-polls.
I have users who requires HTML in the polls question and answers fields and hence the inclusion of HTML,
Of course I can use kses to filter it out, probably can take a look at it when I am free. But having said that, it is XSS if you consider putting alert(1) inside the textarea of the post as XSS.
from wp-polls.
I have fixed it and wrap it with wp_kses_post(). You can try the dev version which is 2.71.
from wp-polls.
@lesterchan Your point is that if someone, a hacker maybe, can add something on the backend, then the person hacked has bigger problems, right?!
I got your point.
from wp-polls.
@lesterchan thanks.
from wp-polls.
Related Issues (20)
- Remove CSS
- Deregister plugin CSS HOT 1
- Cant create poll
- Multi vote problem HOT 1
- Button color and text not visable HOT 1
- Can't access to "Manage polls" HOT 1
- Ajax on password secured wp-admin folder HOT 2
- Add hooks for all templates rather than just voting form header, body & footer HOT 3
- All poll options returning to "No Poll Option Updated"
- 100% result for last option of new poll in Archive polls
- polls_archive() isn't running the template filters HOT 1
- Poll not appearing on mobile version of site
- PollsWidget not working in new Block-Widget-Area
- [Question] Token based poll concept?
- Admin are shows poll link but 404's
- Feature request: Add box to input name and email when submitting
- Feature Request: GamiPress integration
- Question: dynamic poll HOT 1
- Include a shortcode or/and function to get the latest poll
- Feature proposal - Use of post type Objects as answers HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wp-polls.