Hijacking Pages Via Styles In Comments

  • Resolved gbulmash

    (@gbulmash)


    17 years, 11 months ago

    Ran into someone using CSS to hijack a MySpace page. Curious, I tried it on my WordPress blog and hijacked one of my own pages via the comments. Not only that, but the hijack overlaid my comments management, making it difficult to remove.

    I created a plugin that filters user comments for CSS embedded in HTML tags and disables the tags when styles are found in them.

    Plugin Page.

Viewing 2 replies - 1 through 2 (of 2 total)

  • Just tested this with a test site. The hijack can only work if the comment is posted by a logged in user – I suspect the user would have to be an admin.

    For normal commenters, WP strips out the styles.

    Thread Starter gbulmash

    (@gbulmash)

    Yes, found this out myself. Didn’t think to log out until after I went crazy with it. Was just coming back to delete or close this post.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Hijacking Pages Via Styles In Comments’ is closed to new replies.