Notifications
Clear all

[Solved] [security] Comment form is allowing JS to be embedded.

6 Posts
2 Users
1 Reactions
1,110 Views
(@lic-request-com)
Member Customer
Joined: 6 years ago
Posts: 4
Topic starter  

I thought this kind of stuff would be taken care of by the plugin but it allows users to embed JavaScript in to the form and therefore, on to the page that has those comments. If you have a user that inserts a script, they can have it execute on your site and do things like modify the page or redirect users, among other things of course. Is this expected behavior or a bug? 


   
Quote
Elvina
(@elvina)
Support
Joined: 5 years ago
Posts: 1403
 

Hi @lic-request-com,

This doesn't have any relation with the wpDiscuz plugin. wpDiscuz based the native (core) WordPress function.
Besides, only high-level users can embedding JavaScript code. The regular user can't embed js codes, it will be removed automatically.

We also suggest you install some anti-spam plugins like Akismet. It filters out hundreds of spam comments. wpDiscuz is well integrated with the plugin.


   
ReplyQuote
(@lic-request-com)
Member Customer
Joined: 6 years ago
Posts: 4
Topic starter  

Elvina,

Wonderful, that's really good to hear. By high-level, you mean Admins right? Thanks for the tip about Akismet, will look in to it. The comment system isn't public yet, but we're trying to make sure its as secure as we can make it, so this gives us a fresh breath of air as we thought it was an issue. 

For addon issues, there is a forum thread for that right? I'm having issues with the front-end moderation tool as well, its allowing non admins to the full set of tools for moderation. 


   
ReplyQuote
(@lic-request-com)
Member Customer
Joined: 6 years ago
Posts: 4
Topic starter  

It's odd because I have made a few test accounts and it let's me add JS and it executes it on refresh. No matter the role. 


   
ReplyQuote
Elvina
(@elvina)
Support
Joined: 5 years ago
Posts: 1403
 

@lic-request-com,

It seems there is some plugin that manipulates the roles and causes the issue. Please deactivate all plugins, keep activated only the wpDiscuz and wpDiscuz Frontend Moderation add-on. Delete all caches and check again (press CTRL+ F5 twice in the frontend) before checking.
If the issue still exists let us know, if not please activate the plugins one by one to find the problem maker.


   
ReplyQuote
(@lic-request-com)
Member Customer
Joined: 6 years ago
Posts: 4
Topic starter  

@elvina

You're absolutely correct. Permissions were actually jacked up, most likely a previous developer working on this project. Checked the permissions and fixed them - works fine now. Up to editor - anything under that can't inject JS. I also went ahead and removed this core capability from everything up to Admin -> unfiltered_html 


   
ReplyQuote
Share:
Scroll to top