Support » Plugin: Visual Editor Biography » Works fine, but a security hole.

  • JMRC

    (@jmrc)


    This plugin is extremely convenient but you should change a line of code before using it.

    File: visual-editor-biography.php
    Line 137: remove_all_filters(‘pre_user_description’);

    This allows you to use HTML by removing all filters, making it impossible for other plugins to adjust anything AND more important, it allows users to run <script> tags. Use this instead:

    remove_filter('pre_user_description', 'wp_filter_kses');
    add_filter('pre_user_description', 'wp_filter_post_kses');

    This removes only the strict HTML filter and replaces it with a less strict version, allowing links, images and markup including divs.

  • The topic ‘Works fine, but a security hole.’ is closed to new replies.