If you want to allow images to comments and additional html tags to comments check the following link:
http://orangescale.net/blognotes/wordpress/sanitizing-html-tags-in-wordpress-mu/index.php
Add appropriate tag hacks to your /wp-includes/kses.php file in the below array:
$allowedtags = array (
You could basically just copy whats in your $allowedposttags = array:
'img' => array (
'alt' => array (),
'border' => array (),
'class' => array (),
'height' => array (),
'hspace' => array (),
'longdesc' => array (),
'vspace' => array (),
'src' => array (),
'width' => array ()),
OK, I'm an idiot. How does this "Sanitize" the images?
lunabyte
Member
Posted 16 years ago #
It doesn't.
According to Donncha's reference the other day, this would open a hole bigger than Texas.
Not to mention, spammers would end up bypassing all the spam plugins out there and insert their crap in an image.
Ouch. This idea isn't good at all.
Hello,
I am the author of that entry. I use that method for our WordPress MU at http://asiablogging.com
Well, not the asiablogging.com itself, but for blogs in that network. We want our contributors to be able to add style="" inside
<img src="" />
. We will use our class="" to format the images in entries. But for quick and dirty solution, just in case our bloggers want to do their own formatting, they can.
If you have a better solution, I really appreciate it. Thank you.
lunabyte
Member
Posted 16 years ago #
Wow, talk about a walking security risk.
style tags are a security risk. That's how the myspace worm worked. and the kses file can't work with them so they're stripped. (We had this dicussion on the wp-hackers list about a month ago. Someone care to grab a link? locked down, crashing terminal tonight. we discussed it when comparing the different security filter scripts out there.)
This experiment (I mean enabling style="") was not applied globally. Thank you for your feedbacks!
We will use class="" instead. Once again, thank you!
Hey I'm certainly not recommending it.
For my purposes I needed to have images in comments of a private multiuser blog which uses Angsuman's Authenticated WordPress Plugin so maybe these security risks are not relevant in my situation since you cannot access the blog unless you are registered and you cannot register unless you are invited.