Wordpress Security Question

2 replies
I am developing a Wordpress Multisite Network, and am coding a plugin that copies posts from the main blog to the client blog. I use the wp_insert_post function to update an existing post on the client blog with the content of a selected post from the main blog (blog 1).

During development, we discovered that the layout of the target posts on the client blog was breaking when the site admin ran the plugin, but not when the super admin visited the client blog and ran the plugin.

This was a problem and we looked for a solution for two or three weeks. I had three coders and myself looking to see if we could find any fault with the code. We couldn't find anything.

Luckily, a coder I used in 2009-2010 reappeared, and I asked him if he had any ideas. After looking at it for several hours, he admitted it was one of the strangest problems he had ever seen. He told me to go on to bed, and he would find the problem.

The next morning, there was a message on Skype for me to change most of my html to css to solve the problem. I did, it does.

I went back and read the codex page for the wp_insert_post function very carefully, and did not see anything explicitly explaining why this was happening. But, because it does say that anything created using the wp_insert_post function is run through kses, all I can assume is that the kses security is not applied if the user is the super admin.

Can anyone verify that, or explain it a bit more?
#question #security #wordpress
  • Profile picture of the author RobinInTexas
    That is a really advanced question that probably will get faster and more accurate answers over at the wordpress help forum WordPress › Support » WP-Advanced
    Signature

    Robin



    ...Even if you're on the right track, you'll get run over if you just set there.
    {{ DiscussionBoard.errors[8005503].message }}
  • Profile picture of the author David V
    @Kirk Ward, you answered your own question.....
    kses in not applied for super admin, but is for all other roles.
    There have been several attempts in the trac to modify this but it's been made clear that is not going to happen in the core, too much of a security issue.

    The Automattic team created a plugin for this, and although it's not been updated for awhile, it might still work, and if it doesn't, a little tweaking likely would bring it up to par.
    {{ DiscussionBoard.errors[8005737].message }}

Trending Topics