Forms & Security

  • Hi,

    I was just wondering, how secure are the WordPress forms (e.g. the comment, search, contact forms etc)? I also noticed that WP allows comments to have HTML in them – does this pose as a security risk? If it does, is there a way I can disable them?

    Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)

  • Depends what HTML is allowed…

    Allowed tags are the same as those allowed here in the forums (i think)…

    Go test it yourself…

    Try <script>, or <iframe> … etc..

    I’m yet to see any exploits appear as a result of someone allowing bold em, li, ul, etc.. or the like… ?? …

    You only need to remember one thing when it comes to security…
    NEVER TRUST USER INPUT… ??

    That’s typically handled by the PHP side of things … unless of course you allow all HTML input…

    Just checked this out recently after I read a question here on the forums. For comments, posts, (and a number of other input forms), WordPress uses the kses filter. Google it for some info.

    To see what HTML is allowed, you can go into wp-includes/kses.php and look at the multi-dem arrays. There’s two of them.

    The allowable HTML for comments, user description, etc. is very small. The allowable HTML for posts is much larger, though still filtered.

    The filter functions are wp_filter_kses and wp_filter_posts_kses.

    You can utilize these functions in plugins, and as t31os advises, never trust the user, and never trust that someone couldn’t log on with that user’s account and enter code with malicious intent.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Forms & Security’ is closed to new replies.

Tags