Plugin allows script tags to be inserted

  • Resolved nkalistair

    (@nkalistair)


    3 years, 9 months ago

    Hi I’m looking at using this plugin however I have noticed that because it removes the wp_kses filters there is no sanitization on the input, which is a potential security risk as it will allow anyone with enough permissions (whether genuine or not) to insert malicious code into a page.

    Can I suggest therefore that after you remove the filters on lines 105 & 106 you then add appropriate filters to sanitize the html input for a ‘post’ entry?

    I’ve tested it by adding the wp_kses_post filter and this successfully strips script & style tags

Viewing 1 replies (of 1 total)
  • Plugin Author kevin heath

    (@ypraise)

    thanks for the input.

    I removed the filters for my needs which is what the plugin is based in. I needed to open up the description areas to allow me to run scripts etc which is the point of the plugin.

    The only people who can change the description area are people who have admin permissions. As long as your website is properly secured to prevent hackers from registering as admin then you will have no problems using this plugin.

    The plugin has been around for nearly 10 years and no reports of people hacking into a website through this plugin have been reported.

    As long as your website has normal security in place then this plugin has not more risk than any other plugin that can be hacked once a hacker has already gained access to your site.

    thanks
    Kevin

Viewing 1 replies (of 1 total)
  • The topic ‘Plugin allows script tags to be inserted’ is closed to new replies.