Why Allow Script Commands in Comments?

I noticed that if you are an admin or editor, you are able to put in script code like this in comments (not in the page/post editor) for admin/editor roles:

<script>alert("Danger, Wil Robinson!");</script>

There doesn’t seem to be much documentation on this, which is allowed by unfiltered_html (see the answers here ).

It is only enabled for admin/editor roles; other roles will ignore any scripting commands in comments. But this seems to be a security risk.

What do others think about this possible security risk that allows script commands in comments?

Added

Remember that this question is about comments, and how a malicious script in the comment can affect visitors.

Try it out on your own site. Don’t log in, be a ‘random’ non-authenticated visitor. Put the above script command in a comment and save it. Now refresh the page, and the alert message will show up (assuming you have not disabled Javascript).

You have just proven that a malicious script in a comment will affect visitors to your site. It may not affect your site, but it will affect any visitor to your site.

Now, it might be useful for some sites to allow scripts in pages/posts. That is not the issue here. The issue is scripts in comments, which can be dangerous to the visitor.

PROOF OF CONCEPT (added)

Look at this page https://cellarweb.com/fstraptest/this-is-a-new-post/#comment-502 . Basic WP, no plugins activated, 2017 theme. Added a new post. Logged out. Opened new browser window (not tab). Loaded site as ‘visitor’ (no login). Looked at that post. Then commented on the post; saved it. Saw the popup. Redisplayed the post. Saw the popup.

If you go to that link, you will see “Danger Wil Robinson” popup.

It is not “security risk” per se, as an admin can just go and add whatever stupid PHP code it likes via FTP which usually can do much more damage than some JS. If an admin does stupid things then there is nothing you should do about it as after all it is his site.

Maybe worth mentioning what is the security risk with inserting random JS. Basically if you can insert JS to a page (via comments in this case), your JS can read the authentication related cookies and send them to you. Now all that is left is to “trick” the admin to get to that page and you get the cookies and therefor can access the site as admin.

OK, so not a security risk, but does sound ugly, can’t we just filter out <script> for everyone? The problem is that you might want to do something less trivial as embedding a youtube video for which the sharing code might require loading some script (probably bad example if how YT works today).

The core sin with the comment form is that random users can even attempt submitting anything that contains HTML, which is not only a potential security risk, but also a bad UX for 99% of users (even the technically adapt). In an ideal world potentially non secure things would be available only from the admin side, but this particular ship had sailed ages ago.