This plugin is extremely convenient but you should change a line of code before using it.
Line 137: remove_all_filters(‘pre_user_description’);
This allows you to use HTML by removing all filters, making it impossible for other plugins to adjust anything AND more important, it allows users to run <script> tags. Use this instead:
This removes only the strict HTML filter and replaces it with a less strict version, allowing links, images and markup including divs.
- The topic ‘Works fine, but a security hole.’ is closed to new replies.