Title: Strip or forbid Javascript in comments
Last modified: August 18, 2016

---

# Strip or forbid Javascript in comments

 *  [paulzag](https://wordpress.org/support/users/paulzag/)
 * (@paulzag)
 * [20 years, 12 months ago](https://wordpress.org/support/topic/strip-or-forbid-javascript-in-comments/)
 * A friend’s WP blog got slashdotted. Not fun at all: 10GB of traffic in 4 days,
   95585 unique visitors. All of them kicking tyres and trying to be smart.
 * One of these clever sheep placed a javascript endless loop in his comment. The
   only way out is to kill your browser process, this exploit works under ie, firefox
   and opera, for windows. I could try the same here but it wouldn’t be polite.
 * How do I strip or disable javascript for comments. Specifically onmouseover events?
   I just replicated the exact problem in a comment on my 1.5.1.2 blog.

Viewing 4 replies - 1 through 4 (of 4 total)

 *  [Denis de Bernardy](https://wordpress.org/support/users/denis-de-bernardy/)
 * (@denis-de-bernardy)
 * [20 years, 12 months ago](https://wordpress.org/support/topic/strip-or-forbid-javascript-in-comments/#post-223055)
 * normally, this is built-in. wp only allows a limited set of tags. then again,
   various tricks once allowed to bypass php’s strip_tags function, e.g. <scr<script
   >ipt>. was any dirty trick used?
 *  Thread Starter [paulzag](https://wordpress.org/support/users/paulzag/)
 * (@paulzag)
 * [20 years, 11 months ago](https://wordpress.org/support/topic/strip-or-forbid-javascript-in-comments/#post-223712)
 * I’m not sure if my friend kept the source or just deleted the post…
 * I just did a test comment to my blog and without any dirty tricks. I just created
   an anchor with a onmouseover event. The endless loop activated.
 * So how do we strip or stop an onmouseover exploit?
 *  Thread Starter [paulzag](https://wordpress.org/support/users/paulzag/)
 * (@paulzag)
 * [20 years, 11 months ago](https://wordpress.org/support/topic/strip-or-forbid-javascript-in-comments/#post-223761)
 * Given there isn’t a lot response here I’ll illustrate the exploit. I think bbPress
   should strip it out the greater thans.
 * <a onmouseover=”for(;;)alert(‘endless loop exploit Traps IE, Firefox and Opera.’);”
   
   href=”[http://wordpress.org/support/topic/37004&#8243](http://wordpress.org/support/topic/37004&#8243);
   name=”exploit”>Onmouseover exploit: kills IE, Firefox and Opera if you mouseover
   with javascript enabled. You’ve been warned.
 * `<a onmouseover="for(;;)alert('endless loop exploit Traps IE, Firefox and Opera.');"
   
   href="http://wordpress.org/support/topic/37004" name="exploit">Onmouseover exploit:
   </a> kills IE, Firefox and Opera if you mouseover with javascript enabled. You've
   been warned.
 *  Thread Starter [paulzag](https://wordpress.org/support/users/paulzag/)
 * (@paulzag)
 * [20 years, 11 months ago](https://wordpress.org/support/topic/strip-or-forbid-javascript-in-comments/#post-223762)
 * Aha! so how is bbPress smart enough to change < to `<` in the onmouseover link.
 * Or am I doing something wrong in creating the link code?
 * Here is the link without the onmouseover payload
 * [No Onmouseover
    Payload
 * Below is with the payload. (If it’s a link DON’T mouseover).
 * <a onmouseover=”for(;;)alert(‘endless loop exploit!’);”
    href=”[http://wordpress.org/support/topic/37004″>Onmouseover](http://wordpress.org/support/topic/37004″>Onmouseover)
   exploit:

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Strip or forbid Javascript in comments’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 4 replies
 * 2 participants
 * Last reply from: [paulzag](https://wordpress.org/support/users/paulzag/)
 * Last activity: [20 years, 11 months ago](https://wordpress.org/support/topic/strip-or-forbid-javascript-in-comments/#post-223762)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics