[Plugin: Live Comment Preview] Xss in 2.0.1

Viewing 1 replies (of 1 total)
  • Plugin Author Brad Touesnard

    (@bradt)

    Before the quote appears on the site for everyone else, it is run through the usual server-side filters to strip tags and whatever else is usually done. Yes, the user could inject an iframe or whatever other HTML they like on their own screen, but it will be stripped when they submit their comment and will not show up for others. Therefore, it’s not an XSS vulnerability.

Viewing 1 replies (of 1 total)
  • The topic ‘[Plugin: Live Comment Preview] Xss in 2.0.1’ is closed to new replies.