Why is javascript allowed in my post content?

If you have the unfiltered_html capability then you can use JS. Admins and editors have this capability by default.

Personally I use a plugin for fine control of my users’ capabilities, but you can make this change easily in code:

  $role = get_role( 'administrator' );
  $role->remove_cap( 'unfiltered_html' );
  $role = get_role( 'editor' );
  $role->remove_cap( 'unfiltered_html' );

The capabilities are stored in the options db table, so technically you don’t need to execute this repeatedly. Maybe make yourself a small plugin and put this on the activation hook.

Don’t forget that admins could circumvent this by loading their own code and then directly editing the role options. I never let anyone have the admin role unless I’m happy for them to do anything.

Related Posts:

  1. How to add defer=”defer” tag in plugin javascripts?
  2. How to add a custom CSS class to core blocks in Gutenberg editor?
  3. How to pass/get data to/from the WooCommerce data-product_variations object?
  4. Insert Custom HTML After Shortcode
  5. AJAX filter posts on click based on category
  6. Remove left alignment option in core/image block
  7. remove other tabs in new wordpress media gallery
  8. Format content value from DB outside of WordPress filters
  9. How can I filter block registration based on post-type? (Block alignment settings)
  10. Add attribute to script loaded by the theme
  11. When to use add_action when registering/enqueuing scripts
  12. Remove CSS & JS files from WordPress Main Page For Increase Pagespeed?
  13. Where is the content cache when using apply_filters(‘the_content…?
  14. How to filter post content and force every link () made in blocks to return urldecode() with readable value?
  15. upload_files cap to not loggen in users – add_cap to not logged in users
  16. How to display the content HTML of a page without displaying the gallery code as well
  17. Can I override the content array using the_posts filter?
  18. Stripping URLs & Email from post submissions
  19. How do I add tags to entire comments, not just their text
  20. “The editor has encountered an unexpected error” After add defer tag to java script
  21. How to bridge the gap between dynamic back-end data and front-end output?
  22. Add class to all parent elements inside the_content
  23. How would I remove an inline googleAPI font script in the the parent theme header.php?
  24. This code works, but breaks the media uploader. How do I integrate it in a way that won’t?
  25. How to correctly override a filter?
  26. Limit total tags in the_content
  27. Why doesn’t remove_action work in my plugin?
  28. Using a filter to modify Genesis wp_nav_menu
  29. How to wrap all titles generated by Gutenberg “Heading” block with tag
  30. Upload restrictions – upload_mimes – filter: Adding multiple MIMEs for a single extension and adding multiple extensions for a single MIME type?
  31. Filters on Login Page
  32. How can I change the email that is inside the default email texts of wordpress?
  33. the_excerpt filter doesn’t work as expected
  34. How to filter link?
  35. Conditional does not work with add_filter
  36. What is the earliest hook to modify post content?
  37. How to modify only part of a function through the filter
  38. Modify message displayed on post save
  39. Something is filtering my shortcodes… Can’t figure out what
  40. How can I apply filters in my class that extends Walker_Nav_Menu?
  41. Pass debug_backtrace() in WordPress filter
  42. How should I be using filters and is_single together?
  43. Remove actions/filters that are set with create_function()
  44. How to edit embed filter for youtube video to allow responsive full width layout
  45. Remove get_template_part() from custom theme
  46. How to access page variable inside action hook
  47. Use has_filter on comment_post
  48. Shorten the title length
  49. Problem with Class, Filters and Callbacks
  50. Renaming wordpress login and get new password button
  51. Hook in a sidebar widget and add some markup
  52. preg_match() not working with post content
  53. Search a title word through query_posts (not the exact match)
  54. Parse a shortcode differently based on on what it’s nested in
  55. return get_the_tag_list with whitespace removed
  56. Elementor Image Hover + Filter Grid [closed]
  57. How to redirect template_directory to subdomain relativ url?
  58. ‘manage_users_custom_column’ is a filter, but ‘manage_posts_custom_column’ is an action. Why?
  59. comment_notification_text filter not working
  60. Line Breaks are stripped off when direction property is found
  61. Scanning for custom embed and prefetching
  62. Modify author url display in edit-comments.php
  63. WordPress remove_filter not working
  64. How to exclude or include categories in wp rest API without query parameters?
  65. Remove and replace woocommerce add to cart button [closed]
  66. add_filter( ‘the_title’ gets through this if statement twice
  67. Changing the category for existing Gutenberg blocks
  68. Filter Post Title without affecting screen-reader-text
  69. Hook to change the site URL
  70. Replace a specific URL on all apperances on the Website (Maybe a filter?)
  71. Modify WordPress Page Title ()
  72. How to add lazy field in content endpoint using Gutenberg blocks
  73. Strange behaviour of REGEX in a WordPress filter (trying to suppress emtpy paragraphs)
  74. Modify Contextual Help
  75. how to use apply filter for Class?
  76. How can I see exactly what arguments are being passed through a filter so that I may modify them?
  77. Widget image reorganize layout
  78. WordPress set featured image to first image of the post
  79. Modify WordPress search behaviour in backend?
  80. Re-order search results with posts_orderby filter and post meta value
  81. Set Microsoft Word links to open in new window/tab
  82. WordPress get_avatar filter to match logins
  83. Modify category listing API response
  84. Auto-generated excerpt with shortcode and read more button/text link
  85. ‘the_content’ Filter delivers empty string with lengh (608)
  86. Testing requested query in pre_get_posts
  87. Output dynamic_sidebar_params in wp_head
  88. How to sort posts according to meta value?
  89. Converting restricted html in comments to bbcode
  90. What is the proper/best way to have multiple add_filter for wp-job-manager-resume
  91. Modify WooCommerce email shipping text value
  92. How do I add a class to all sidebars to let a Google Custom Search Engine know not to index the content?
  93. How to replace all images in all posts and pages with a different size?
  94. Using Filters To Change Page Title
  95. How to add a class to Buddypress avatars in the Activity stream? [closed]
  96. using posts_where for meta data on pre_get_posts
  97. can’t output gray scaled image I’ve created using add_image_size
  98. remove_filter excerpt_more from a plugin class
  99. How properly write function to filter content in a template for plugin “multiple content blocks”
  100. ACF Load Field Groups Programmatically [closed]

Leave a Comment