Home Forums Bug Reports Field saving does not respect unfiltered_html capability


Field saving does not respect unfiltered_html capability

  • Users assigned roles without the unfiltered_html capability are able to save html markup in ACF fields. This opens up a site to XSS vulnerabilities by allowing any user to paste in potentially malicious code, rather than requiring users with the expressed capability only.

    Steps to Reproduce:
    1. Create an ACF text/textarea/wysiwyg field on a page.
    2. Create a new user with role Author. Authors by default do not have the unfiltered_html capability.
    3. Create a new page as the new user, with <script>alert('This should not happen!');</script> as the ACF field content.
    4. View the page, the script runs.

    Expected Behavior: For users without the unfiltered_html capability, script tags should be stripped out and the field content should display as alert('This should not happen!').

    Proposed resolution: ACF fields should check if the user has the unfiltered_html capability on save, and if not, run field content through wp_filter_post_kses().

    • Elliot

    • December 6, 2018 at 6:00 pm

    Hi @benabaird

    Thanks for the bug report and sorry for my delayed reply.
    This is a good idea and will be easy to implement.

    Please edit the file “includes/form.php” and find the line ~160:

    // action
    do_action('acf/save_post', $post_id);

    Then change it to this:

    // Filter $_POST data for users without the 'unfiltered_html' capability.
    if( !current_user_can('unfiltered_html') ) {
    	$_POST['acf'] = wp_kses_post_deep( $_POST['acf'] );
    // action
    do_action('acf/save_post', $post_id);

    We have tested this and can confirm it works correctly for author users who don’t have the ‘unfiltered_html’ capability:

    Let me know your thoughts on the fix and I’ll aim to release a patch shortly.


Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

We use cookies to offer you a better browsing experience, analyze site traffic and personalize content. Read about how we use cookies and how you can control them in our Cookie Policy. If you continue to use this site, you consent to our use of cookies.