Why is javascript allowed in my post content?

If you have the unfiltered_html capability then you can use JS. Admins and editors have this capability by default.

Personally I use a plugin for fine control of my users’ capabilities, but you can make this change easily in code:

  $role = get_role( 'administrator' );
  $role->remove_cap( 'unfiltered_html' );
  $role = get_role( 'editor' );
  $role->remove_cap( 'unfiltered_html' );

The capabilities are stored in the options db table, so technically you don’t need to execute this repeatedly. Maybe make yourself a small plugin and put this on the activation hook.

Don’t forget that admins could circumvent this by loading their own code and then directly editing the role options. I never let anyone have the admin role unless I’m happy for them to do anything.

Related Posts:

  1. How to add defer=”defer” tag in plugin javascripts?
  2. How to add a custom CSS class to core blocks in Gutenberg editor?
  3. How to pass/get data to/from the WooCommerce data-product_variations object?
  4. Insert Custom HTML After Shortcode
  5. AJAX filter posts on click based on category
  6. Remove left alignment option in core/image block
  7. remove other tabs in new wordpress media gallery
  8. Format content value from DB outside of WordPress filters
  9. How can I filter block registration based on post-type? (Block alignment settings)
  10. Add attribute to script loaded by the theme
  11. When to use add_action when registering/enqueuing scripts
  12. Remove CSS & JS files from WordPress Main Page For Increase Pagespeed?
  13. Where is the content cache when using apply_filters(‘the_content…?
  14. How to filter post content and force every link () made in blocks to return urldecode() with readable value?
  15. upload_files cap to not loggen in users – add_cap to not logged in users
  16. How to display the content HTML of a page without displaying the gallery code as well
  17. Can I override the content array using the_posts filter?
  18. Stripping URLs & Email from post submissions
  19. How do I add tags to entire comments, not just their text
  20. “The editor has encountered an unexpected error” After add defer tag to java script
  21. How to bridge the gap between dynamic back-end data and front-end output?
  22. Add class to all parent elements inside the_content
  23. How would I remove an inline googleAPI font script in the the parent theme header.php?
  24. This code works, but breaks the media uploader. How do I integrate it in a way that won’t?
  25. How to correctly override a filter?
  26. Limit total tags in the_content
  27. WordPress REST API and Backbone JS
  28. Modify Gutenberg blocks quick inserter defaults
  29. Disable emojicons introduced with WP 4.2
  30. How to remove a filter that is an anonymous object?
  31. WordPress hooks/filters insert before content or after title
  32. add_action(), add_filter() before or after function
  33. apply_filters(‘the_content’, $content) vs do_shortcode($content)
  34. How do filters and hooks really work in PHP
  35. Trouble understanding apply_filters()
  36. What is the very earliest action hook you can call?
  37. How would one modify the filtering Gutenberg applies to pasted content?
  38. How can I modify the WordPress default widget output?
  39. Add custom options to the wplink dialog
  40. Remove classes from body_class
  41. what is __return_false in filters
  42. Explanation for apply_filters function and its variables
  43. Gutenberg: Is there a way to know if current block is inside InnerBlocks?
  44. How to reorder billing fields in WooCommerce Checkout template? [closed]
  45. Insert HTML just after tag
  46. the_content and is_main_query
  47. Changing WooCommerce Display Price Based on User Role & Category [closed]
  48. How to show page content in feed?
  49. wp_headers vs send_headers. When to use each?
  50. Filter any HTTP request URI?
  51. How to Pass External Variables to Filters/Actions
  52. How to filter users on admin users page by custom meta field?
  53. Filter by one custom field, order by another?
  54. Not able to change wp_title using add_filter
  55. How to appending to the_content using add_filter with custom post type?
  56. Query WP REST API v2 by multiple meta keys
  57. No filter of code on switch from html to visual editor, how?
  58. Sanitize and data validation with apply_filters() function
  59. How to modify posts_where filter only for the search query
  60. How to hook a filter to catch get_post_meta when alternate a custom field output?
  61. How to get shortcode’s input values inside a filter?
  62. Removing Image and Caption Dimension Attributes
  63. How to wrap oEmbed-embedded video in DIV tags inside the_content?
  64. How to bulk delete all users with no posts?
  65. How many filter/action hooks are healthy?
  66. WordPress 3.9 – Trouble Editing TinyMCE 4.0
  67. Changing JPEG compression depending on image size
  68. How to add filter with 2 args?
  69. How to use update_{$meta_type}_metadata filter to modify meta value
  70. How to wrap an element around an iframe or embed in content automatically?
  71. Filter specific shortcode output?
  72. WordPress Internal @ Mentions
  73. How to add headers to outgoing email?
  74. Earliest hook to reliably get $post/$posts
  75. Insert new element to array with add_filter
  76. LESS CSS enqueue_style with add_filter to change rel attribute
  77. Is it possible to filter comments in a post so a user can only see the comments they have written?
  78. Remove Editor From Homepage
  79. How to modify Contact Form 7 Success/Error Response Output [closed]
  80. Where to hook into post content?
  81. What does (10, 2) mean when used with add_filter
  82. Filter translations (gettext strings) on specific admin pages
  83. Filter username field on registration for profanity and unwanted words
  84. Clarification on filters and hooks
  85. remove_filter( ‘the_content’, ‘wpautop’ ); only for certain post types
  86. At what priority does add_filter overwrite core functions?
  87. Valid characters for actions, hooks and filters
  88. is it possible to add “extra” table nav to edit-tags.php screens?
  89. Advanced Custom Fields and Yoast SEO keyword analysis [closed]
  90. Adding a filter to qTranslate to change display of language chooser
  91. Modify links when inserted by WYSIWYG editor
  92. Is there a way to add another row to the tinyMCE kitchen sink toggle?
  93. How to hook into unregistering a widget instance?
  94. How to check if a hook is hooked or not?
  95. Completely strip any hidden formatting when pasting into TinyMCE
  96. How can I extend the Gutenberg table block transform to allow colspans/rowspans on pasted table elements?
  97. How to add filter to __() and _e()?
  98. Remove description from on Home
  99. Editing ‘Password Reset’ E-mail
  100. Is it possible to use object in add_action?

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)