Q&A no stip tags issue

Hello!

I don't know is it a bug or a feature but Q&A plugin accept ALL tags in title \ content field and displays them as-is.

For example, I put "<script>alert(1);</script>" in title field, post the questions, and I get JS alert on my question' page :slight_smile: Any user can post scripts\embed\objects and other dangerous stuff :slight_frown:(

This is really weird behavior.

Any one know how to fix this?

  • Hakan

    Hi,

    It was assumed that question authors should have the same privileges as an editor or author, but I agree that especially if you let visitors to submit questions this may be misused.

    Just include these codes inside functions.php of your current theme:

    function qa_modify_post( $post ) {
    $post['post_title'] = wp_strip_all_tags( $post['post_title'] );
    $post['post_content'] = esc_html( $post['post_content'] );
    return $post;
    }
    add_filter( 'qa_before_insert_post', 'qa_modify_post' );

    Note: This will be integrated to the next release.

    Thanks for pointing out this.

    Cheers,
    Hakan

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.