Support » Plugin: Security Headers » XSS protection function

  • Resolved vincep

    (@vincep)


    Hello, thanks for your plugin.
    But I have a question about XSS protection function, and I’m wondering if it can meet my need as well.

    At my site, when I add a new post from the admin page, I can insert some script at the title section. So if I insert <script>alert(“XXX”)</script> at the title section, the post is added successfully and the alert window saying “XXX” is popped up whenever I click the added post. It is a serious problem to operate a site, so I’m trying to fix some code or find a plugin.

    Is it possible to support this issue with your plugin?
    Thanks.

Viewing 1 replies (of 1 total)
  • Plugin Author SimonRWaters

    (@simonrwaters)

    Hi,

    WordPress applies different filters to these fields depending on your role.

    If you are an admin you can definitely insert JavaScript into some fields, but then you can also install plugins etc.

    I believe the capability is unfiltered-html, so you could probably remove it from a role if it is a problem.

    https://codex.wordpress.org/Roles_and_Capabilities#unfiltered_html

    However WordPress permissions are carefully thought through, so maybe you are assigning people too much power, so maybe better to create a new role and assign it the permissions you want it to have, and no more.

    Don’t think this belongs in this plugin. There is a capability editor plugin already.

    Good question, one of our own testers noted this behaviour as curious.

Viewing 1 replies (of 1 total)
  • The topic ‘XSS protection function’ is closed to new replies.