In a nutshell, sometimes when you paste text into the editor, the editor inserts an invisible copy of the pasted text.  You won’t see the invisible text at all in the editor; it’s visible in the HTML view, but WordPress users often post without every looking at the HTML view (that is, after all, the whole point of the editor).  Even if you do look at the HTML, you probably won’t notice the hidden text block unless you know to look for it, which most people obviously don’t.  It is not clear whether this invisible copy is inserted in addition to a visible copy of the same text, or whether it’s inserted instead of the visible copy you intended.

Although the text is not visible in the editor, it is in the HTML, which means that when you publish your blog entry, the hidden text goes along with it.  Search engines will happily index it and even show you snippets from it in search results if you search for a keyword that’s found in the hidden text.  Furthermore, syndicators of your blog that strip out HTML style attributes (including, e.g., the feed syndicator at LiveJournal.com) will render the previously invisible text for the world to see.

I was posting a blog entry about some idiots emailing me a Web site username and password, and I cut and pasted their email into my blog posting and then edited it to remove the username and password before publication.  Although I edited the visible text successfully, the unedited, invisible text remained and was picked up by the search engines and LiveJournal.  Voilà!  Time to change a bunch of passwords. *sigh*

This is not a terribly serious security hole, as these things go, but it is real and needs to be addressed.  Unfortunately, the maintainers of WordPress do not seem to be taking it particularly seriously.  I sent this report to security@wordpress.com:

I am running WordPress 2.8.4.

I recently posted a blog entry…

Here is what appeared, without my knowledge at the end of the unfixed version that I first published:

<div id=”_mcePaste” style=”overflow: hidden; position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px;”> … </div>

In other words, for some reason, when I pasted the email message text into the Visual editor, somehow this hidden text block got pasted, in addition to the visible text block that I then edited, and the hidden, unedited text block remained in the blog entry when it was published.

I don’t know how this happened. I don’t recall doing anything unusual that might have caused it when editing the blog entry.

The security issue here should be obvious — it is a big problem that text that someone pastes into a blog entry they are editing can end up being inserted into the published blog entry without their knowledge. In my case, the problem is particularly egregious, since usernames and passwords were involved, but any time text gets published that the author isn’t aware is being published, that’s a problem.

The text was invisible in my blog because of the style attributes, but Google indexed it anyway, which means that it could show up in Google search results if you searched for the right keyword. Not only that, but when the syndicated LiveJournal feed of my blog picked up the blog posting, the style attributes were stripped, and the text became visible on LiveJournal to everyone who reads my blog there.

…

When I Google for “<div id=”_mcePaste” style=”overflow: hidden; position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px;”>”, Google finds 83 matches (if you tell it to display all matches, rather than letting it filter out the ones it thinks are similar), so clearly I’m not the only person who has been bitten by this, although I haven’t looked to see if any of the other inadvertently exposed text is as security-sensitive as it was in my case. Also, if you Google for “_mcepaste hidden”, you will see that others have run into this issue, although it doesn’t look like anyone has realized the security-hole aspect of it.

I hope you will take this issue seriously.

I didn’t hear back from them for two days, so I wrote to them again.  I didn’t hear back from them for another five days after that, so I wrote to them again.  They finally responded, “Switch from the Visual to the H TML tab to see hidden blocks.  Visiaul is a WYSIWYG and seems to be doing exactly as it should… That said, we can look into putting up a little warning message if the content contains hidden text.”

I responded:

I don’t understand what you are saying.

It is not correct behavior for a WYSIWYG editor to paste hidden text into a document and not tell you that it is there.

You could make a case that it is correct behavior if (a) there were some purpose to the hidden text and (b) it happened every time. Neither of these is the case. There is no purpose to the hidden text; when the WYSIWYG editor pastes properly, the text is visible, not hidden. And it only happens rarely, thus making it rather clear that it is a malfunction rather than intended behavior.

Even if the behavior were both intended and functional, neither its existence nor its purpose is documented anywhere, nor is the user informed in any way when invisible text is pasted. Therefore, it would still be a security issue in this case, because it is making data that people publicly visible that people don’t expect to be publicly visible without informing them.

If there is a purpose to the hidden text, then what is it?

I also told them that displaying a warning message would be a good start, but not inserting hidden text into blog postings for no discernable reason would be a better solution.

I’ve heard nothing further back from them.

I am publicizing this issue both to warn other WordPress bloggers about it and to ask publicly for the WordPress development team to acknowledge that this bug is a security hole and commit to fixing it.