Changeset 42287 for branches/4.4/src/wp-includes/functions.php

Timestamp:

11/29/2017 04:28:05 PM (8 years ago)

Author:

johnbillion

Message:

Hardening: Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.

Merges [42261] to the 4.4 branch.

Location:

branches/4.4

Files:

• . (modified) (1 prop)
• src/wp-includes/functions.php (modified) (1 diff)

branches/4.4/src/wp-includes/functions.php

@@ -2425 +2425 @@
         $unfiltered = $user ? user_can( $user, 'unfiltered_html' ) : current_user_can( 'unfiltered_html' );
 
-    if ( empty( $unfiltered ) )
-        unset( $t['htm|html'] );
+    if ( empty( $unfiltered ) ) {
+        unset( $t['htm|html'], $t['js'] );
+    }
 
     /**