Title: Forms & Security
Last modified: August 19, 2016

---

# Forms & Security

 *  [jbeltran](https://wordpress.org/support/users/jbeltran/)
 * (@jbeltran)
 * [17 years ago](https://wordpress.org/support/topic/forms-amp-security/)
 * Hi,
 * I was just wondering, how secure are the WordPress forms (e.g. the comment, search,
   contact forms etc)? I also noticed that WP allows comments to have HTML in them–
   does this pose as a security risk? If it does, is there a way I can disable them?
 * Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)

 *  [t31os](https://wordpress.org/support/users/t31os/)
 * (@t31os)
 * [17 years ago](https://wordpress.org/support/topic/forms-amp-security/#post-1079129)
 * Depends what HTML is allowed…
 * Allowed tags are the same as those allowed here in the forums (i think)…
 * Go test it yourself…
 * Try `<script>`, or `<iframe>` … etc..
 * I’m yet to see any exploits appear as a result of someone allowing bold em, li,
   ul, etc.. or the like… 🙂 …
 * You only need to remember one thing when it comes to security…
    NEVER TRUST USER
   INPUT… 🙂
 * That’s typically handled by the PHP side of things … unless of course you allow
   all HTML input…
 *  [asechrest](https://wordpress.org/support/users/asechrest/)
 * (@asechrest)
 * [17 years ago](https://wordpress.org/support/topic/forms-amp-security/#post-1079143)
 * Just checked this out recently after I read a question here on the forums. For
   comments, posts, (and a number of other input forms), WordPress uses the kses
   filter. Google it for some info.
 * To see what HTML is allowed, you can go into wp-includes/kses.php and look at
   the multi-dem arrays. There’s two of them.
 * The allowable HTML for comments, user description, etc. is very small. The allowable
   HTML for posts is much larger, though still filtered.
 * The filter functions are `wp_filter_kses` and `wp_filter_posts_kses`.
 * You can utilize these functions in plugins, and as t31os advises, never trust
   the user, and never trust that someone couldn’t log on with that user’s account
   and enter code with malicious intent.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Forms & Security’ is closed to new replies.

## Tags

 * [forms](https://wordpress.org/support/topic-tag/forms/)
 * [html](https://wordpress.org/support/topic-tag/html/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 2 replies
 * 3 participants
 * Last reply from: [asechrest](https://wordpress.org/support/users/asechrest/)
 * Last activity: [17 years ago](https://wordpress.org/support/topic/forms-amp-security/#post-1079143)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics