Monthly Archives: August 2011

WordPress Admins Can Post JavaScript in Post Comments

Here’s an interesting fact about WordPress: users with Administrator or Editor privileges are allowed to post unsanitized JavaScript or markup in Post comments.

I discovered this by accident when I was leaving a Facebook API example for a commentator, and posted a code snippet that included the <script> tag referencing http://connect.facebook.net/en_US/all.js#xfbml=1. To my surprise, a Facebook Comments widget appeared within my comment!

I did some testing with a fresh WordPress installation and ensured that it wasn’t related to any of my own customizations or installed plugins, and that only high-ranking user accounts could do it.

This could potentially be a Cross-Site Scripting (XSS) vulnerability, as a user with Editor privileges could conceivably “go rogue” and post malicious JavaScript in comment threads. This could be used for any number of nefarious things, such as injecting a malware loader into the page or inserting spam links.

So I did some digging, wondering whether I should report the issue to the core developers, and found this:

Users with Administrator or Editor privileges are allowed to publish unfiltered HTML in post titles, post content, and comments. WordPress is, after all, a publishing tool, and people need to be able to include whatever markup they need to communicate. Users with lesser privileges are not allowed to post unfiltered content.

[…] Regardless, an Administrator has wide-ranging super powers among which unfiltered HTML is a lesser one.

In WordPress multisite, only super administrators can publish unfiltered HTML, as all other users are considered untrusted.

It makes sense that Administrators be able to do that, as they have unfettered control over everything else. (And there are probably some cool things you could do by inserting JavaScript into your comments, like placing polls without having to use a plugin.)

So, the lesson here is to be cautious with who you assign Editor privileges to. If you don’t trust them, don’t give them an Editor account. Besides, a rogue Editor could play havoc on posts and comments even without being able to paste-in malicious code. ;)

If PHP Were British

I was browsing a popular social media site the other day, when I came across a link entitled “If PHP Were British.” I started laughing out loud (for real) just a few paragraphs in. When Rasmus Lerdorf first put PHP together, he – quite…

Firefox 7 to Use 20-50% Less Memory

Mozilla engineers have began and effort known as “MemShrink” to reduce Firefox’s rather large memory footprint, with the changes being made in Firefox 7. (I still haven’t quite figured out Mozilla’s new version numbering scheme, and Firefox 5 is the current release…) In short:…

Google Launches Page Speed Service

Google recently launched a Page Speed Service, an offering along similar lines to CloudFlare. You set up a CNAME to point your domain to their servers, which cache your pages and serve them at blazing speed. They also run everything through the lines of…

BlogBuzz August 20, 2011

Leaked AT&T Letter Demolishes Case For T-Mobile Merger HTML5 Boilerplate 2.0 is now available Object-Oriented PHP: Autoloading, Serializing, and Querying Objects Persistent Headers Google, needing patents, buys Motorola wireless for $12.5 billion Building a Jabber Client for iOS: Interface Setup Creating Reusable & Versatile…

Disable Domain Highlighting in Firefox

If you just upgraded to Firefox 6, you probably noticed the new “domain highlighting” feature. The address bar now greys-out the protocol and path in the URL, leaving the domain highlighted in the darker black text. The theory is that it will help less-savvy…

Minus: Simple File Sharing

There are already a few services—like CloudApp and Droplr—that allow you to simply drag a file and instantly share it via a short URL. There’s a newer one that I’ve been seeing lately on Twitter. It’s name is Minus. Minus is primarily a web…

BlogBuzz August 13, 2011

Missing the Favorites Menu in WordPress? Add a Makeshift Replacement.

In WordPress 3.2, the favorite actions menu was removed during the latest UI refresh. If you’re like me, you had used its hooks to add your own links to frequently-used sections of the admin. I had even made a plugin that allowed me to…

5 Sites to Find Free PSD Resources for Your Web Designs

Looking for some high-quality PSD resources? Maybe your design skills are lacking and you need some professional-quality elements for the theme you’re making for your blog. Or maybe you need some social media icons. Or maybe you’re just don’t feel like reinventing the wheel…