[Solved] [security] Comment form is allowing JS to be embedded.

Hi @lic-request-com,

This doesn't have any relation with the wpDiscuz plugin. wpDiscuz based the native (core) WordPress function.
Besides, only high-level users can embedding JavaScript code. The regular user can't embed js codes, it will be removed automatically.

We also suggest you install some anti-spam plugins like Akismet. It filters out hundreds of spam comments. wpDiscuz is well integrated with the plugin.

Elvina,

Wonderful, that's really good to hear. By high-level, you mean Admins right? Thanks for the tip about Akismet, will look in to it. The comment system isn't public yet, but we're trying to make sure its as secure as we can make it, so this gives us a fresh breath of air as we thought it was an issue. 

For addon issues, there is a forum thread for that right? I'm having issues with the front-end moderation tool as well, its allowing non admins to the full set of tools for moderation. 

It's odd because I have made a few test accounts and it let's me add JS and it executes it on refresh. No matter the role. 

@lic-request-com,

It seems there is some plugin that manipulates the roles and causes the issue. Please deactivate all plugins, keep activated only the wpDiscuz and wpDiscuz Frontend Moderation add-on. Delete all caches and check again (press CTRL+ F5 twice in the frontend) before checking.
If the issue still exists let us know, if not please activate the plugins one by one to find the problem maker.

@elvina

You're absolutely correct. Permissions were actually jacked up, most likely a previous developer working on this project. Checked the permissions and fixed them - works fine now. Up to editor - anything under that can't inject JS. I also went ahead and removed this core capability from everything up to Admin -> unfiltered_html