WordPress MU

Many moons ago the "unfiltered_html" capability was removed from WordPress MU. Unfortunately it sneaked in again just before the last release.

Thank you Jason Ling for emailing me this morning and warning about this oversight. Unfortunately spammers had created text widgets with Javascript code on his MU site.

It's easy to fix the permissions:
Download the new schema.php from http://trac.mu.wordpress.org/browser/trunk/wp-admin/includes/schema.php?rev=1203 and copy it into wp-admin/includes/ - that fixes the problem for any new blogs.
Grab this little plugin and place it in mu-plugins (after renaming it to .php of course): http://ocaoimh.ie/wp-content/uploads/2008/03/remove_unfiltered_html_cap.txt
Now, go to "Site Admin"->Upgrade and upgrade your site. This will call the upgrade script for every blog and in the process call the plugin and remove the unfiltered_html capability.

Unfortunately there's no easy way to remove any offending code but the next time they edit their text widgets or posts the Javascript or any offending code will be stripped out.

I may very well make this remove_cap() code a permanent part of WPMU because there's no good reason for ordinary users to have that capability.

Blogged it.

Dang spammers are ruthless!

Has separating the frontend and admin into different domains been considered? (ala blogspot) That would very much reduce the risk of XSS in one swoop.

Although its not that trivial a job.

mrball - it has been but it was never given enough thought. With the proper filtering on the siteurl and home options it might not be too hard to get a basic separation going.

Without digging too deep, I'd think that since that WP can handle a site and home url (which can differ), then with a bit of code to recognize those as two entities (additional domain, same path/sub), that it could be quite possible to accomplish this.

How much tinkering with the core that it would take is anyone's guess.

That's the beauty of PHP though. Anything is possible.

A few hours work and I have this mostly working on my dev server which uses VHOSTS. I used the sunrise.php feature as well as an mu-plugin to override the siteurl option and do some redirecting.

Login links redirect to a new domain, as does attempts to go to /wp-admin/

I haven't even tried to do anything with comments yet. If a malicious blogger had unfiltered_html access they could steal the email addresses of visitors who commented with a small bit of Javascript.
Comment forms would have to submit to the alternate domain, and possibly load from there.

I'll see about cleaning this up and releasing some code next week. Anyone interested?

I would be willing to test this out since half of my installs are on domain mapping anyways. Are you talking FQD changes or just subdomain admin? I can test both actually :)