Word r Pre r ss XSS on editor page only in wordpress.com, not wordpress.org reported: 2013-9-30, and now fixed
Movable Ty T pe XSS on editor page reported: 2013-9-30, fixed on MT6 and
Google Blogger Self XSS on editor page white list filter bypass via <!--> reported: 2013-10-2, now fixed, $500
Common pattern preview function + raw HTML editor, embed code, etc self-XSS was possible in some case (server-side filter is useless for self DOM XSS)
How to fix #1 simply, output valid html use whitelist, output wellformed valid html
How to fix #2 use browser's parser you don't need to write new HTML parser. document.implementation.createHTMLDocument some_element.innerHTML = htmlstring ↑ execute <img src=x onerror=...> createHTMLDocument do only parsing, create dead DOM node.
Opera12 Opera12's createHTMLDocument is buggy, don't use it. Opera12 execute <img src=x onerror=...>
Conclusions There is difference between actual browser and js/server- side HTML parser. invalid html causes the problem which is not predicted. use whitelist, output wellformed valid html.