Theme Assets uploader allows HTML content
Low
A
Automattic
Submitted None
Team Summary
Official summary from Automattic
The reporter submitted a report highlighting that specially formatted yet valid HTML files were able to be uploaded as theme assets. Even though we allow for JavaScript on our blog network, we don't allow HTML files to be uploaded here so that we can restrict JavaScript execution to the blog network. Our fix involved whitelisting the specific files & mimetypes that are able to be uploaded as theme assets.
Actions:
Reported by
myominthu_sec
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Unrestricted Upload of File with Dangerous Type