WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#17400 closed defect (bug) (invalid)

Disable JavaScript in Comments

Reported by: Kuzmanov Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.2
Component: Comments Keywords:
Focuses: Cc:

Description

I think the ticket name says everything. Shouldn't JavaScript be disabled in comments?

Change History (3)

comment:1 @duck_4 years ago

What do you mean?

Are you saying you're able to put <script> tags in comments? If so are you writing said comment as an admin or editor user (someone with the unfiltered_html capability)?

comment:2 @Kuzmanov4 years ago

Only when I'm logged in as an admin. As I see no one can put <script> in comments in WordPress 3.1.2, that's why I'm reporting this. It's not 'very' safe when someone can use <script> in the comments, even it's an admin user.

comment:3 @ocean904 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

To disallow unfiltered HTML for all users, you can add this to wp-config.php:

define( 'DISALLOW_UNFILTERED_HTML', true );

From wpdevel post by Nacin.

Note: See TracTickets for help on using tickets.