Why Allow Script Commands in Comments?

I noticed that if you are an admin or editor, you are able to put in script code like this in comments (not in the page/post editor) for admin/editor roles:

<script>alert(“Danger, Wil Robinson!”);</script>

There doesn’t seem to be much documentation on this, which is allowed by unfiltered_html (see the answers here ).

It is only enabled for admin/editor roles; other roles will ignore any scripting commands in comments. But this seems to be a security risk.

What do others think about this possible security risk that allows script commands in comments?

Read more here:: Why Allow Script Commands in Comments?

Leave a Reply

Your email address will not be published. Required fields are marked *