Title: XSS protection function
Last modified: September 17, 2017

---

# XSS protection function

 *  Resolved [vincep](https://wordpress.org/support/users/vincep/)
 * (@vincep)
 * [8 years, 8 months ago](https://wordpress.org/support/topic/xss-protection-function/)
 * Hello, thanks for your plugin.
    But I have a question about XSS protection function,
   and I’m wondering if it can meet my need as well.
 * At my site, when I add a new post from the admin page, I can insert some script
   at the title section. So if I insert <script>alert(“XXX”)</script> at the title
   section, the post is added successfully and the alert window saying “XXX” is 
   popped up whenever I click the added post. It is a serious problem to operate
   a site, so I’m trying to fix some code or find a plugin.
 * Is it possible to support this issue with your plugin?
    Thanks.

Viewing 1 replies (of 1 total)

 *  Plugin Author [SimonRWaters](https://wordpress.org/support/users/simonrwaters/)
 * (@simonrwaters)
 * [8 years, 8 months ago](https://wordpress.org/support/topic/xss-protection-function/#post-9504081)
 * Hi,
 * Wordpress applies different filters to these fields depending on your role.
 * If you are an admin you can definitely insert JavaScript into some fields, but
   then you can also install plugins etc.
 * I believe the capability is unfiltered-html, so you could probably remove it 
   from a role if it is a problem.
 * [https://codex.wordpress.org/Roles_and_Capabilities#unfiltered_html](https://codex.wordpress.org/Roles_and_Capabilities#unfiltered_html)
 * However WordPress permissions are carefully thought through, so maybe you are
   assigning people too much power, so maybe better to create a new role and assign
   it the permissions you want it to have, and no more.
 * Don’t think this belongs in this plugin. There is a capability editor plugin 
   already.
 * Good question, one of our own testers noted this behaviour as curious.

Viewing 1 replies (of 1 total)

The topic ‘XSS protection function’ is closed to new replies.

 * ![](https://ps.w.org/security-headers/assets/icon-128x128.png?rev=1467219)
 * [Security Headers](https://wordpress.org/plugins/security-headers/)
 * [Support Threads](https://wordpress.org/support/plugin/security-headers/)
 * [Active Topics](https://wordpress.org/support/plugin/security-headers/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/security-headers/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/security-headers/reviews/)

 * 1 reply
 * 2 participants
 * Last reply from: [SimonRWaters](https://wordpress.org/support/users/simonrwaters/)
 * Last activity: [8 years, 8 months ago](https://wordpress.org/support/topic/xss-protection-function/#post-9504081)
 * Status: resolved