Pilvinen
commented
9 years ago Very worrisome. I hope this is addressed as soon as possible.
Closed yariplus closed 9 years ago
Pilvinen
commented
9 years ago Very worrisome. I hope this is addressed as soon as possible.
yariplus
commented
9 years ago My PR fixes most of the problems. I think @drewdotpro just hasn't gotten a chance to look over it properly yet.
I found several ways to inject arbitrary Javascript into posts. The easiest two being the onmousedown/up/over attributes and using the url() css construct. With some tags, these are not parsed out whatsoever.
You are also not sanitizing on post edit at all, because the passed object is different from what you are expecting.