Skip to:

Users Can Break the Site With HTML in Comments/Posts

  • FTLRalph


    So a user discovered today if they make a post with <li>...</li> tags OR with just a single <li> tag, the </li> tag seems to be removed upon processing the comment and the whole site layout obviously takes a dump.

    (This doesn’t seem to happen if the <li> tag is properly placed in a <ul> or <ol>)


    A user can assign classes to their HTML elements. The same classes used by the website’s CSS, thus allowing for ridiculous formatting in their comments.

    I don’t want to disallow HTML (some users utilize bold, code, etc) and that’s fine, but I obviously would like to fix the <li> issue, and also not allow HTML elements to be assigned classes.

    I have no idea where even to begin…what function to extend off of and even then what PHP to use to validate/fix?
    Maybe a strip_tags before a comment is posted to remove everything except for <strong> and others, but dunno how to fix the class issue…

    (Buddypress 3.2.0, using legacy theme)

  • You must be logged in to reply to this topic.
Skip to toolbar