Stripping tags

@johndeebdd I sometimes added a few javascript snippets as well directly into to the editor as well but you shouldn’t. It’s not a good practice. 🫣

The plugin has recently been reported and flagged as a security risk recently :
https://wpscan.com/vulnerability/3828b320-9f7b-4a2a-a6b0-200b023d602c/
So I added WordPress HTML sanitizing filters to the output. Everything’s good now. 🥳

If you work alone or only with people you trust, it’s almost ok. But if you are using community plugins to run a forum for example, a malintended user could easily try posting malicious code to steal information or just to hack into your website. It’s not that simple and that easy, running javascript code is not enough, let’s say XSS attacks is the first step to open the doors for more solutions to break in. 😶‍🌫️

If you need more flexibility, thanks to a child theme or plugins like Code Snippet, you can use this kind of snippet with a specific filter to allow the use of javascript – at your own risk 😉

add_filter( 'wp_kses_allowed_html', function( $tags, $context ) {
	if ( 'post' === $context ) {
		$tags[ 'script' ] = [ 'src'  => false, 'type' => true ];
		# $tags[ 'script' ] = array() to allow anything like external scripts as well 
	}
	return $tags;
}, 10, 2 );

Please use it carefully and tell me if that works for you. 🤲

• This reply was modified 8 months, 2 weeks ago by Jan Dembowski.
• This reply was modified 8 months, 2 weeks ago by Pierre-Henri Lavigne.