Why is javascript allowed in my post content?

by

The codex says you can’t add javascript in the post content

https://codex.wordpress.org/Using_Javascript

But I can. I’ve turned off all plugins and changed to twentysixteen theme, but to no avail – I can still add javascript, via the post content, and have it run on the frontend. I don’t want anyone to be able to add javascript through the post content (apart from oembed etc.) for security reasons.

Has anyone experienced this or have any ideas to help?

Thanks

1
1

If you have the unfiltered_html capability then you can use JS. Admins and editors have this capability by default.

Personally I use a plugin for fine control of my users’ capabilities, but you can make this change easily in code:

  $role = get_role( 'administrator' );
  $role->remove_cap( 'unfiltered_html' );
  $role = get_role( 'editor' );
  $role->remove_cap( 'unfiltered_html' );

The capabilities are stored in the options db table, so technically you don’t need to execute this repeatedly. Maybe make yourself a small plugin and put this on the activation hook.

Don’t forget that admins could circumvent this by loading their own code and then directly editing the role options. I never let anyone have the admin role unless I’m happy for them to do anything.

Leave a Comment