Why is javascript allowed in my post content?

by

If you have the unfiltered_html capability then you can use JS. Admins and editors have this capability by default.

Personally I use a plugin for fine control of my users’ capabilities, but you can make this change easily in code:

  $role = get_role( 'administrator' );
  $role->remove_cap( 'unfiltered_html' );
  $role = get_role( 'editor' );
  $role->remove_cap( 'unfiltered_html' );

The capabilities are stored in the options db table, so technically you don’t need to execute this repeatedly. Maybe make yourself a small plugin and put this on the activation hook.

Don’t forget that admins could circumvent this by loading their own code and then directly editing the role options. I never let anyone have the admin role unless I’m happy for them to do anything.

Leave a Comment