I noticed that if you are an admin or editor, you are able to put in script code like this in comments (not in the page/post editor) for admin/editor roles:
<script>alert(“Danger, Wil Robinson!”);</script>
There doesn’t seem to be much documentation on this, which is allowed by unfiltered_html (see the answers here ).
It is only enabled for admin/editor roles; other roles will ignore any scripting commands in comments. But this seems to be a security risk.
What do others think about this possible security risk that allows script commands in comments?
Read more here:: Why Allow Script Commands in Comments?