Users Can Break the Site With HTML in Comments/Posts
So a user discovered today if they make a post with
<li>...</li>tags OR with just a single
</li>tag seems to be removed upon processing the comment and the whole site layout obviously takes a dump.
(This doesn’t seem to happen if the
<li>tag is properly placed in a
A user can assign classes to their HTML elements. The same classes used by the website’s CSS, thus allowing for ridiculous formatting in their comments.
I don’t want to disallow HTML (some users utilize bold, code, etc) and that’s fine, but I obviously would like to fix the
<li>issue, and also not allow HTML elements to be assigned classes.
I have no idea where even to begin…what function to extend off of and even then what PHP to use to validate/fix?
Maybe a strip_tags before a comment is posted to remove everything except for
<strong>and others, but dunno how to fix the class issue…
(Buddypress 3.2.0, using legacy theme)
- You must be logged in to reply to this topic.