Hi Jamie
Thanks for posting this – obviously security is one of our primary concerns.
However, we can’t replicate your findings. Only comments posted by admins can contain script tags; comments posted by any other user role or by users who aren’t logged in would see script tags stripped out.
The Discussion Board plugin uses the default WordPress functionality for comments – it doesn’t modify the comments_template. So we wouldn’t expect to see any difference in comments left on a Discussion Board topic to comments left on a standard post.
By way of showing this, in a vanilla install with no plugins (including Discussion Board), a logged-in admin can add a comment to a standard post that includes a script tag and the tag will not get removed. A user that is not logged in or who has a lesser role would have the tag stripped out.
In the same install with the DB plugin enabled, an admin can post a reply to a topic that includes a script tag and the tag won’t get removed. However, if any other user posts a reply to a topic with a script tag, the script will get removed.
Does this match what you’ve found or, if not, can you provide some more information on what you did? If it’s easier, please contact us via info[at]catapultthemes.com.
Many thanks for taking the time to inform of us this.
