I’m creating a template for comments on my WordPress site. I noticed that a simple <script>alert(1);</script>
slips through the default WP codex implementation of comments, using the comment_text()
function to display my comments. No bueno.
How can i properly sanitize and/or escape WordPress comments? The esc_html()
function, seems to do nothing in this case.
1 Answer
After thinking about this a little bit, I guess that the proper way to ensure that your comments are properly escaped, is by doing something like this:
$the_comment = get_comment_text();
echo '<p>' . esc_html($the_comment) . '</p>';
Instead of simply using the function like this:
comment_text();
Why even have these handy functions in the first place, if they aren’t properly escaped? The comment_author();
function IS, yet this is not for some reason?
Perhaps I am missing something?
I was missing something: the unfiltered_html
capability given to the admin role, extends to comments. Read more here: https://wordpress.org/support/article/roles-and-capabilities/#unfiltered_html