Notifications
Clear all

Paid Addons Support Forum Only

Please note, that here we only support Paid Addons issues and questions.

gVectors Support staff works from 6am to 6pm (GMT+0)

All questions related to wpForo and wpDiscuz free plugins should be asked in the corresponding plugin support forum:

 

wpDiscuz Support Forum   wpForo Support Forum

[Solved] [security] Comment form is allowing JS to be embedded.  

  RSS

wpDiscuzUser19
(@lic-request-com)
Member Customer
Joined: 1 year ago
Posts: 4
05/12/2019 10:25 pm  

I thought this kind of stuff would be taken care of by the plugin but it allows users to embed JavaScript in to the form and therefore, on to the page that has those comments. If you have a user that inserts a script, they can have it execute on your site and do things like modify the page or redirect users, among other things of course. Is this expected behavior or a bug? 


Quote
Elvina
(@elvina)
Noble Member Moderator
Joined: 10 months ago
Posts: 1177
06/12/2019 12:48 pm  

Hi @lic-request-com,

This doesn't have any relation with the wpDiscuz plugin. wpDiscuz based the native (core) WordPress function.
Besides, only high-level users can embedding JavaScript code. The regular user can't embed js codes, it will be removed automatically.

We also suggest you install some anti-spam plugins like Akismet. It filters out hundreds of spam comments. wpDiscuz is well integrated with the plugin.


ReplyQuote
wpDiscuzUser19
(@lic-request-com)
Member Customer
Joined: 1 year ago
Posts: 4
09/12/2019 9:16 pm  

Elvina,

Wonderful, that's really good to hear. By high-level, you mean Admins right? Thanks for the tip about Akismet, will look in to it. The comment system isn't public yet, but we're trying to make sure its as secure as we can make it, so this gives us a fresh breath of air as we thought it was an issue. 

For addon issues, there is a forum thread for that right? I'm having issues with the front-end moderation tool as well, its allowing non admins to the full set of tools for moderation. 


ReplyQuote
wpDiscuzUser19
(@lic-request-com)
Member Customer
Joined: 1 year ago
Posts: 4
09/12/2019 10:59 pm  

It's odd because I have made a few test accounts and it let's me add JS and it executes it on refresh. No matter the role. 


ReplyQuote
Elvina
(@elvina)
Noble Member Moderator
Joined: 10 months ago
Posts: 1177
10/12/2019 11:42 am  

@lic-request-com,

It seems there is some plugin that manipulates the roles and causes the issue. Please deactivate all plugins, keep activated only the wpDiscuz and wpDiscuz Frontend Moderation add-on. Delete all caches and check again (press CTRL+ F5 twice in the frontend) before checking.
If the issue still exists let us know, if not please activate the plugins one by one to find the problem maker.


ReplyQuote
wpDiscuzUser19
(@lic-request-com)
Member Customer
Joined: 1 year ago
Posts: 4
10/12/2019 10:10 pm  

@elvina

You're absolutely correct. Permissions were actually jacked up, most likely a previous developer working on this project. Checked the permissions and fixed them - works fine now. Up to editor - anything under that can't inject JS. I also went ahead and removed this core capability from everything up to Admin -> unfiltered_html 


ReplyQuote
Share: