I am making a blog site. I want to prevent the user(all users even user type is administrator) to input any script tag into the wordpress post. If user input the script tag into the post then onclick of publish it should give the error message to the user or simply remove the the script tag from content. I am not much familiar with the wordpress. Please suggest me how i can do this.
我正在建立一个博客网站。我想阻止用户(所有用户甚至用户类型是管理员)将任何脚本标签输入到wordpress帖子中。如果用户将脚本标记输入到帖子中,则单击发布它应该向用户提供错误消息,或者只是从内容中删除脚本标记。我对wordpress不太熟悉。请建议我如何做到这一点。
Thanks in advance
提前致谢
2 个解决方案
#1
0
You can use this: https://vip.wordpress.com/plugins/advanced-blacklist/ It can blacklist words. just add the words as <script> <SCRIPT>
您可以使用此:https://vip.wordpress.com/plugins/advanced-blacklist/它可以将单词列入黑名单。只需将单词添加为
#2
0
Setting
define( 'DISALLOW_UNFILTERED_HTML', true );
in wp-config.php is the recommended way to do this.
在wp-config.php中是推荐的方法。
Why are some users allowed to post unfiltered HTML?
为什么允许某些用户发布未经过滤的HTML?
Users with Administrator or Editor roles are allowed to publish unfiltered HTML in post titles, post content, and comments. WordPress is, after all, a publishing tool, and people need to be able to include whatever markup they need to communicate. Users with lesser privileges are not allowed to post unfiltered content.
具有管理员或编辑角色的用户可以在帖子标题,发布内容和评论中发布未过滤的HTML。毕竟,WordPress是一种发布工具,人们需要能够包含他们需要进行通信的任何标记。权限较低的用户不允许发布未经过滤的内容。
If you are running security tests against WordPress, use a lesser privileged user so that all content is filtered. If you are concerned about an Administrator putting XSS into content and stealing cookies, note that all cookies are marked for HTTP only delivery, and are divided into privileged cookies used for admin pages, and unprivileged cookies used for public facing pages. Content is never displayed unfiltered in the admin. Regardless, an Administrator has wide-ranging super powers, among which unfiltered HTML is a lesser one.
如果您正在对WordPress运行安全测试,请使用较低权限的用户,以便过滤所有内容。如果您担心管理员将XSS放入内容并窃取cookie,请注意所有cookie都标记为仅HTTP传递,并分为用于管理页面的特权cookie和用于公共对象页面的非特权cookie。内容永远不会在管理员中未经过滤显示。无论如何,管理员拥有广泛的超级权力,其中未经过滤的HTML是较小的权力。
In WordPress Multisite, only the Super Admin can publish unfiltered HTML, as all other users are considered untrusted.
在WordPress Multisite中,只有超级管理员才能发布未经过滤的HTML,因为所有其他用户都被视为不受信任。
To disable unfiltered HTML for all users, including administrators, you can add
define( 'DISALLOW_UNFILTERED_HTML', true );towp-config.php.要为所有用户(包括管理员)禁用未过滤的HTML,您可以添加define('DISALLOW_UNFILTERED_HTML',true);到wp-config.php。
#1
0
You can use this: https://vip.wordpress.com/plugins/advanced-blacklist/ It can blacklist words. just add the words as <script> <SCRIPT>
您可以使用此:https://vip.wordpress.com/plugins/advanced-blacklist/它可以将单词列入黑名单。只需将单词添加为
#2
0
Setting
define( 'DISALLOW_UNFILTERED_HTML', true );
in wp-config.php is the recommended way to do this.
在wp-config.php中是推荐的方法。
Why are some users allowed to post unfiltered HTML?
为什么允许某些用户发布未经过滤的HTML?
Users with Administrator or Editor roles are allowed to publish unfiltered HTML in post titles, post content, and comments. WordPress is, after all, a publishing tool, and people need to be able to include whatever markup they need to communicate. Users with lesser privileges are not allowed to post unfiltered content.
具有管理员或编辑角色的用户可以在帖子标题,发布内容和评论中发布未过滤的HTML。毕竟,WordPress是一种发布工具,人们需要能够包含他们需要进行通信的任何标记。权限较低的用户不允许发布未经过滤的内容。
If you are running security tests against WordPress, use a lesser privileged user so that all content is filtered. If you are concerned about an Administrator putting XSS into content and stealing cookies, note that all cookies are marked for HTTP only delivery, and are divided into privileged cookies used for admin pages, and unprivileged cookies used for public facing pages. Content is never displayed unfiltered in the admin. Regardless, an Administrator has wide-ranging super powers, among which unfiltered HTML is a lesser one.
如果您正在对WordPress运行安全测试,请使用较低权限的用户,以便过滤所有内容。如果您担心管理员将XSS放入内容并窃取cookie,请注意所有cookie都标记为仅HTTP传递,并分为用于管理页面的特权cookie和用于公共对象页面的非特权cookie。内容永远不会在管理员中未经过滤显示。无论如何,管理员拥有广泛的超级权力,其中未经过滤的HTML是较小的权力。
In WordPress Multisite, only the Super Admin can publish unfiltered HTML, as all other users are considered untrusted.
在WordPress Multisite中,只有超级管理员才能发布未经过滤的HTML,因为所有其他用户都被视为不受信任。
To disable unfiltered HTML for all users, including administrators, you can add
define( 'DISALLOW_UNFILTERED_HTML', true );towp-config.php.要为所有用户(包括管理员)禁用未过滤的HTML,您可以添加define('DISALLOW_UNFILTERED_HTML',true);到wp-config.php。