Dave Smith just emailed to let me know that the theme I’m using is vulnerable to a cross-site scripting attack. He’s detailed the fix here, which I’ve applied. If you’re using depo-skinny, you’ll want to fix it as well.
July 6, 2009 at 2:36 pm
strip_tags()seems a bit harsh. Maybe htmlentities() would be nicer?
Grepping the theme I use, WP seems to have a wp_specialchars() function of its own. I didn’t look at exactly how it does what it does, but that would unify all HTML output filtering through a single place.
July 6, 2009 at 3:24 pm
Thanks for telling us about it. Some of my sites have the same problem. Will fix it now.
Your email address will not be published.
@rc3dotorg is a Twitter feed of new posts.
Of course this blog has an Atom feed.
You can also follow my personal Twitter account. It's @rafeco.
Browse the archives.
© 2016 rc3.org
Theme by Anders Noren — Up ↑