Opened 7 years ago
Closed 7 years ago
#42964 closed defect (bug) (invalid)
Vuln Javascript with admin
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 4.9.1 |
| Component: | General | Keywords: | |
| Focuses: | Cc: |
Description
Hi
I have read this:
https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html
It say that i can disallow unfiltered HTML for all users, including administrators
But admin still can post XSS on comment
Is this a bug?
Attachments (1)
Change History (2)
Note: See
TracTickets for help on using
tickets.
Hi @trungnd51,
You'll need to insert the
define( 'DISALLOW_UNFILTERED_HTML', true );line above the line which readsThat's all, Stop editing!for it to take effect.Currently it's being defined effectively after WodPress is run.
Next, in future, please take note of the warnings before submitting an issue to trac, you would've triggered a warning about not submitting potential security vulnerabilities here, thankfully this isn't one, however in future please follow the steps in the link you posted on how to submit a security issue.