WordPress comments

Why Allow Script Commands in Comments?

I noticed that if you are an admin or editor, you are able to put in script code like this in comments (not in the page/post editor) for admin/editor roles:

<script>alert(“Danger, Wil Robinson!”);</script>

There doesn’t seem to be much documentation on this, which is allowed by unfiltered_html (see the answers here ).

It is only enabled for admin/editor roles; other roles will ignore any scripting commands in comments. But this seems to be a security risk.

What do others think about this possible security risk that allows script commands in comments?

Read more here:: Why Allow Script Commands in Comments?

Related posts:

  1. Comments/Discussion Not enabled on newly created posts/pages
    Like the title says, new posts and pages do not automatically have comments enabled, even though I have the option checked in discussion settings. Any…
  2. Disable or Enable Comments on Front end
    Any plugin or code can enable or disable comments on front end by post author? Back end is closed for my authors and some authors…
  3. Disable or Enable Wp Comments on Frontend
    Any pluging or code can enable or disable comments on frontend by post author. Backend is closed for my authors and some authors sometimes dont…
  4. How to amend time format of comments, using child-theme?
    How to amend (override) the time format of the comments (of the posts and pages), not touching the wordpress initial installation? I use a child…
  5. WP_Comment_Query – Get comments and answers separately
    I was developing a theme and this time I chose to use the bootstrap4, I found some difficulties in the way but I managed to…

Leave a Reply

Your email address will not be published. Required fields are marked *