HTML tags not stripped

  • Resolved antonv

    (@antonv)


    2 years, 9 months ago

    Contact form 7 has a no-nonsense security policy and strips all html tabs.

    This plugin passes all html tags to the post, including post title

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Aurovrata Venet

    (@aurovrata)

    This plugin passes all html tags to the post, including post title

    what’s wrong with HTML tags? Its javascript you want to be careful about, and HTML attributes that can potentially cause cross-site exploits…however, given that form design is the site admin or editor, I don’t see the problem there either. If you don’t trust your editors then simply don’t allow them form edit rights!

    Thread Starter antonv

    (@antonv)

    what’s wrong with HTML tags? … I don’t see the problem there either. If you don’t trust your editors then simply don’t allow them form edit rights!

    I beg to differ, what would stop a malicious <script>bad js code<\script>, included by a user when filling out the form, executing when you later view the post?

    But, thanks to your ample provisions for hooks, I now use the WordPress wp_kses function as part of the validation process.

    • This reply was modified 2 years, 7 months ago by antonv.
    Plugin Author Aurovrata Venet

    (@aurovrata)

    I beg to differ, what would stop a malicious <script>bad js code<\script>, included by a user when filling out the form, executing when you later view the post?

    but you’re referring to front-end forms. Front-end forms are still handled by the CF7 plugin, the Smart Grid only impact HTML on the back-end at the design stage. So such malicious code would need to be inserted by one of your editors/administrators….not some random users.

    But, thanks to your ample provisions for hooks, I now use the WordPress wp_kses function as part of the validation process.

    great, glad you found them.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘HTML tags not stripped’ is closed to new replies.