Important Notice: Our web hosting provider recently started charging us for additional visits, which was unexpected. In response, we're seeking donations. Depending on the situation, we may explore different monetization options for our Community and Expert Contributors. It's crucial to provide more returns for their expertise and offer more Expert Validated Answers or AI Validated Answers. Learn more about our hosting issue here.

Why are some users allowed to post unfiltered HTML?

allowed html unfiltered Users
0
Posted

Why are some users allowed to post unfiltered HTML?

0 CommentsAdd a Comment

1 Answer

0

Users with Administrator or Editor privileges are allowed to publish unfiltered HTML in post titles and content. WordPress is, after all, a publishing tool, and people need to be able to include whatever markup they need to communicate. Users with lesser privileges are not allowed to post unfiltered content. If you are running security tests against WordPress, use a lesser privileged user so that all content is filtered. If you are concerned about an Administrator putting XSS into content and stealing cookies, note that all cookies are marked for HTTP only delivery and are divided into privileged cookies used for admin pages and unprivileged cookies used for public facing pages. Content is never displayed unfiltered in the admin. Regardless, an Administrator has wide-ranging super powers among which unfiltered HTML is a lesser one. In WordPress multisite, only super administrators can publish unfiltered HTML, as all other users are considered untrusted. To disable unfiltered HTML for a

0 CommentsAdd a Comment
What is your question?

*Sadly, we had to bring back ads too. Hopefully more targeted.

Experts123