Anf?llig für stored cross-site scripting

  • Resolved steffeninseoul

    (@steffeninseoul)


    10 months, 2 weeks ago

    Hallo,

    Leider meldet Jetpack Protect folgendes:

    The HTML Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting … up to version 1.3.28

    <font style=”vertical-align: inherit;”><font style=”vertical-align: inherit;”>Würde gerne bitte wissen, ob das Problem in einem der n?chsten Updates des Plugins behoben wird.</font></font>

    Vielen Dank!

Viewing 2 replies - 1 through 2 (of 2 total)

  • This is a feature / by design and not an actual security risk. I go as far as to say this report is a false positive because the plugin is designed to offer this feature and this same feature is common in other places within WordPress.

    To keep HTML Forms as flexible as possible we allow website administrator role (so only those who already have full access on the site) to add any sort of html and JavaScript code inside the form.

    Similarly if you to to Appearance > Theme editor as administrator you can insert JavaScript code there as well (and even PHP code). Or if you insert a HTML Code block into a post, you can insert Javascript code there as well. Or if you use a code snippets plugin, or a plugin like ad-inserter, you can add javascript code there as well (I could go on).

    Hope that clarifies this.

    Kind regards,

    Thread Starter steffeninseoul

    (@steffeninseoul)

    Hi!

    thanks for your quick and instructive answer. I completely understand!

    Kind regards

    Steffen

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Anf?llig für stored cross-site scripting’ is closed to new replies.