After thinking about this a little bit, I guess that the proper way to ensure that your comments are properly escaped, is by doing something like this:
$the_comment = get_comment_text();
echo '<p>' . esc_html($the_comment) . '</p>';
Instead of simply using the function like this:
comment_text();
Why even have these handy functions in the first place, if they aren’t properly escaped? The comment_author(); function IS, yet this is not for some reason?
Perhaps I am missing something?
I was missing something: the unfiltered_html capability given to the admin role, extends to comments. Read more here: https://wordpress.org/support/article/roles-and-capabilities/#unfiltered_html
Related Posts:
- comment_post_ID 0 (cannot remove from dashboard)
- What’s the difference between esc_* functions?
- How to escape custom css?
- Why do I get accidental comments without (the required) email address?
- How to Block Access to Standard Login Flow and Comment Flow
- Strategies for coping with hyperagressive spambots?
- How Could I sanitize the receive data from this code
- wp_insert_comment and security
- Is WordPress vulnerable to “comment posting forgery”?
- What is the safe way to print tracking code / pixel code before tag or tag
- Admin can enter JavaScript – potential security risk?
- Do we need to escape data that we receive from theme options?
- reCaptcha doesnt appear in comment (manual or plugin)
- WordPress scruity issue – Totally disable all comments by CSS — secure enough?
- How are readers authenticated for leaving comments?
- WordPress Commenting System User access and Security
- esc_url, esc_url_raw or sanitize_url?
- how to sanitizing $_POST with the correct way?
- Should I escape wordpress functions like the_title, the_excerpt, the_content
- Is it possible to pull comments from facebook into your blog?
- When to use esc_html and when to use sanitize_text_field?
- Enable Submit Comment Without Page Reload (Using Ajax)?
- Getting Post Comments for post ID using WP_Query() and a Custom Loop?
- How to deal with small scale comment spam on small commercial sites? [closed]
- How to use a custom comments template
- Comment visibility
- Does WordPress sanitize arguments to WP_Query?
- human_time_diff() returns “48 years ago” for all comments
- Allowing more elements in comments via functions.php
- Set post comments open function
- Why are default comments deprecated?
- Comments Reply Form
- An action hook where a comment meta is updated
- Last comment page first with full number of comments?
- Only subscriber role user can comment not other
- How to save new comment as custom comment type?
- How to remove the “on” string before recent comments link?
- WordPress comments email notification for authors
- How to get the result of comments_number() as a string instead of printing it out?
- WordPress unresponsive after calling wp_update_comment()
- Custom disqus_identifier not properly changing default value
- Edit Comment_Field while using T5 Comment Textarea On Top-Plugin
- Registered but Anonymous comments
- How to remove ‘Site’ in the comment form?
- How can I stop WP from automatically marking “Automatically close comments on articles older than 28 days”? [closed]
- Removing from Comment
- How do you turn on comments for only the last page of a paginated post?
- Callback function argument which is required for wp_list_comments ()
- How to not load comments form on post preview?
- Sort/list/arrange comments by comment author in un-nested/no thread comments
- The comment login form is visible to me but not to the user
- Archive comment w/o moving to spam/trash
- How to insert a comma to the child comment construction in function.php?
- Editing WordPress comments : generating comment from selection
- how to properly use comments-template.php
- How can I assign a specific id to the last comment of a post
- Reply By Email to comment notifications
- Modify WordPress Comment From For AMP Html
- delete duplicate comments
- wp_list_comments renders incorrectly nested
- Alternative to the filter comment_reply_link
- Number/ Position of a Comment
- code highiglight not working comment
- Comment number does not increment
- Cancel comment filter?
- How to edit the text below “Leave a Reply”
- Commenting system for WordPress
- Commentlist: bypostauthor problem with children list
- Comments does not work?
- comment_notes_before not working
- why can’t I retrieve the comment ID?
- How to create post comment from different domain
- get_comment_link without pagination base in the returned URL?
- Comments on future posts
- Copy and Paste Password for Comments
- Display custom text when comments are closed
- is it possible to have the full code instead in the comments.php page
- I need to disable Disqus comments pre-approval, but i can’t find where
- Remove Javascript generated by Comments
- How to Trigger comment_form_after action if comment_form() not used
- Need Comment Link Help
- How to only show current user’s comments and comments on current user’s posts in wp admin
- How to make author comment name to “Editorial Staff” no matter which ever author is replying to comments from his/her account?
- Changing the Comment Fields using Filter (without success)
- Comments pagination: reverse JUST the links texts (1-2-3 to 3-2-1), not comments order
- Display date and time into post edit comments section
- Disallowed Tag Present in AMP WordPress ()
- Subcriber getting multiiple notifications for new comments
- Limit Comment Line Count – Add Read More Button
- Comments/Discussion Not enabled on newly created posts/pages
- Escaping a WPDB Object in One Shot
- Commenter username copies author username
- How can I enable commenting from mobile view?
- Displaying comment rating stars in carousel
- How to force users to nest their comments
- Comment form – different title if no comment yet
- WordPress Comments jQuery Doesn’t submit
- Insert comment and still use moderation
- Customize comment notification e-mails with HTML
- Add ACF Quick Edit Columns on Comments