The problem looks like sloppiness in TinyMCE. However, WordPress should be scrubbing and sanity checking the HTML (WordPress does do this, right?) so it should be easy for WordPress to strip out the during the scrubbing. OTOH, TinyMCE should be doing the paste like this: create “hidden” , paste into it, mangling incoming HTML, delete “hidden” . That last step seems to be missing.

BTW, I don’t even use WordPress or TinyMCE, I think I got here through comp.risks and started playing around to see what I could eye-ball in the code.

No.

Then again, with a name like “_mcePaste” perhaps this scenario is less likely than WYSIWYG editor creating the tag out of thin air as you presume. I dunno. (Is MCE a WordPress acronym?)

Yes. TinyMCE is the visual editor used by WordPress. See http://tinymce.moxiecode.com/.

It seems possible that you pasted HTML content from your email client, and that the HTML content did contain this … tag. In cases like this should we expect the WordPress WYSIWYG editor to sanitize the paste, or to pass it through verbatim? I can see arguments for either way.

Then again, with a name like “_mcePaste” perhaps this scenario is less likely than WYSIWYG editor creating the tag out of thin air as you presume. I dunno. (Is MCE a WordPress acronym?)

The truly paranoid will therefore carefully review the entire HTML version of a blog entry before publishing it, if there’s any chance that private text was inadvertently posted into it in hidden form, but most people are not going to bother with this, because most people have no idea that the visual editor could have added hidden text to their blog without their knowledge or consent.

If the folks at security@wordpress.com had agreed with me that there is a security issue and asked me to work with them to help identify it, I would have been happy to do so.

Instead, they ignored me for a week, and then when they finally replied to my third attempt to get them to pay attention to me, they said everything was working properly and there was no security issue. They still haven’t acknowledged that there is a security issue.

So, I hope you’ll understand when I say that I’m not exactly motivated to put myself out to help them figure out their bug.

In any case, many people have posted about the problem on the Web, albeit not the security aspects of it, and several of them have discussed how they were able to reproduce it. I’m not convinced that they way they were able to reproduce it is the only vector for this bug, but it’s more than enough information to point the WordPress developers in the right direction and enable them to figure out the bug, should they choose to do so rather than ignoring reports about it.

Also, most support issues should go to the WordPress › Support forums.

This is not a support issue, it is a bug. Furthermore, it is a security bug, which is why I sent email to the private security email list rather than posting publicly about it. I posted publicly only because of the unacceptable response from the WordPress developers who are on that list.

From my point of view, copying and pasting HTML should act on *everything* a user has selected. There’s no way of knowing if the user just wants to paste the plain text, simple formatting (bold, lists, etc) or complex (tables, hidden markup, etc).

WordPress has no way of knowing whether the author wants the hidden markup or not. It would also be complex for it to figure out if the text would be hidden in the WYSIWYG view.

Assuming you do think it should change – how would you design the User Interface? Do you show a pop-up every time the user pastes HTML? The first time? Have it remove all formatting unless the user checks a config box?

It is a security flaw – no doubt about that. But it comes down to the bug/feature dichotomy.

T

Also, most support issues should go to the WordPress › Support forums.