Why is javascript allowed in my post content?

If you have the unfiltered_html capability then you can use JS. Admins and editors have this capability by default.

Personally I use a plugin for fine control of my users’ capabilities, but you can make this change easily in code:

  $role = get_role( 'administrator' );
  $role->remove_cap( 'unfiltered_html' );
  $role = get_role( 'editor' );
  $role->remove_cap( 'unfiltered_html' );

The capabilities are stored in the options db table, so technically you don’t need to execute this repeatedly. Maybe make yourself a small plugin and put this on the activation hook.

Don’t forget that admins could circumvent this by loading their own code and then directly editing the role options. I never let anyone have the admin role unless I’m happy for them to do anything.

Related Posts:

  1. How to add defer=”defer” tag in plugin javascripts?
  2. How to add a custom CSS class to core blocks in Gutenberg editor?
  3. How to pass/get data to/from the WooCommerce data-product_variations object?
  4. Insert Custom HTML After Shortcode
  5. AJAX filter posts on click based on category
  6. Remove left alignment option in core/image block
  7. remove other tabs in new wordpress media gallery
  8. Format content value from DB outside of WordPress filters
  9. How can I filter block registration based on post-type? (Block alignment settings)
  10. Add attribute to script loaded by the theme
  11. When to use add_action when registering/enqueuing scripts
  12. Remove CSS & JS files from WordPress Main Page For Increase Pagespeed?
  13. Where is the content cache when using apply_filters(‘the_content…?
  14. How to filter post content and force every link () made in blocks to return urldecode() with readable value?
  15. upload_files cap to not loggen in users – add_cap to not logged in users
  16. How to display the content HTML of a page without displaying the gallery code as well
  17. Can I override the content array using the_posts filter?
  18. Stripping URLs & Email from post submissions
  19. How do I add tags to entire comments, not just their text
  20. “The editor has encountered an unexpected error” After add defer tag to java script
  21. How to bridge the gap between dynamic back-end data and front-end output?
  22. Add class to all parent elements inside the_content
  23. How would I remove an inline googleAPI font script in the the parent theme header.php?
  24. This code works, but breaks the media uploader. How do I integrate it in a way that won’t?
  25. How to correctly override a filter?
  26. Limit total tags in the_content
  27. How to remove a filter that is an anonymous object?
  28. How do filters and hooks really work in PHP
  29. Trouble understanding apply_filters()
  30. How would one modify the filtering Gutenberg applies to pasted content?
  31. No filter of code on switch from html to visual editor, how?
  32. How to modify posts_where filter only for the search query
  33. How to wrap oEmbed-embedded video in DIV tags inside the_content?
  34. How to add filter with 2 args?
  35. is it possible to add “extra” table nav to edit-tags.php screens?
  36. How to apply the “retrieve_password_message” filter?
  37. wp_mail – Remove sitename from email subject
  38. How to change/rewrite the lost password url?
  39. add_filter multiple times with different addon functions?
  40. WP Rest API – Upload media without saving attachment post
  41. Using variable from one filter in another filter
  42. add class to term_description
  43. How can I find out what an `apply_filter` call is actually doing?
  44. How to apply content filter permanently?
  45. Customize the “Registration complete. Please check your e-mail.” message on WP 4.0
  46. posts_groupby problem
  47. Remove classes from post_class()
  48. Replace a part of url generated by get_term_link
  49. Error when overriding only some audio shortcode HTML output
  50. Run oembed separately outside the_content()
  51. Hook Into the_content Filter For JSON API Only [closed]
  52. How to call a function or method that is Namespaced using another plugin
  53. apply_filters(‘the_content’) – make it ignore shortcodes?
  54. Replace a word with a word in the URL string
  55. Remove style `?ver=` from `/wp-admin/upgrade.php`
  56. theme_page_templates not working
  57. Filter custom post type using multiple taxonomy dropdowns
  58. Add new post with predefined / preset date
  59. Remove Actions added by SEO ultimate Plugin
  60. Building a request processor for multi-page forms, etc using $_GET requests
  61. Replace audio links with jplayer using the_content filter
  62. Sorting a specific taxonomy by archive date using URL
  63. Modify Redux Framework Options in Child Theme
  64. Contact Form 7 Custom Validation Doesn’t Get Called [closed]
  65. How to filter bbPress replies (content)?
  66. Trimming a custom field to a length
  67. How to add a filter to the get_body_class function?
  68. How to hide/remove GhostKit component panel in gutenberg block inspector
  69. Change user nicename without sanitize
  70. when use function the_content break
  71. Filter page title (displayed in browser tab) of wp-login
  72. Adding html banner to posts
  73. How can I get the default content of WordPress post?
  74. How do I hide tinymce within the edit screen of a particular page
  75. What would cause the gettext filter to not work for a given text domain?
  76. How does wordpress add ‘style’ attribute to element
  77. How do I safely force get_theme_mod() to use a defined get_option(“stylesheet”) value?
  78. Shortcode / plugin with custom (flexible) output
  79. Filter “Your latest posts”
  80. Is it better to use a constant or apply_filter?
  81. Hooked into wp_get_attachment_caption to add content to the default description; not working for jetpack slideshow. Why?
  82. Removing menus from users other than the administrator
  83. Remove image of srcset
  84. Add option to query string before get_posts() is called on archive.php
  85. Modify wp headers on specific page
  86. How can I add a prefix to titles displayed in sidebar using function.php?
  87. How to make the show as a button?
  88. List all image sizes still getting disabled sizes
  89. Why this remove empty paragraphs from the_content does not works?
  90. Take filter from multiple functions
  91. What problems could happen if I replaced add_filter and add_action with the function calling
  92. WP REST API v2. filters doesn’t work
  93. Adding to an array & passing it through do_action/apply_filters
  94. Custom excerpt_more filter not working when tag is present
  95. Taxonomy search filters
  96. NextGEN Gallery: Adding drop-down menu widget to gallery view without modifying plugin code [closed]
  97. Modify the third (context) parameter in a filter?
  98. WordPress wp_lazy_loading_enabled returns loading attribute set to lazy
  99. Deregister Custom the_title Filter for edit_post_link
  100. Is it possible to dynamically change the “page_for_posts” option?

Leave a Comment

error code: 523