WordPress.org

Make WordPress Core


Ignore:
Timestamp:
07/18/2016 02:03:04 PM (4 years ago)
Author:
ocean90
Message:

Comments: Use wp_strip_all_tags() to strip HTML tags.

wp_kses() should only be used if you have a whitelist.

Props rachelbaker.
Fixes #37208.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/comment.php

    r38048 r38092  
    10581058
    10591059    // Ensure HTML tags are not being used to bypass the blacklist.
    1060     $comment_without_html = wp_kses( $comment, array() );
     1060    $comment_without_html = wp_strip_all_tags( $comment );
    10611061
    10621062    $words = explode("\n", $mod_keys );
Note: See TracChangeset for help on using the changeset viewer.