I was doing a write up of XposedAPI from offsec proving ground, where I pasted some source code gathered during the process. And the code contains javascript code.
The code kinda like this (I have to manually replace < with > otherwise it executes...).
<script>
function restart(){
if(confirm("Do you really want to restart the app?")){
var x = new XMLHttpRequest();
x.open("POST", document.URL.toString());
x.send('{"confirm":"true"}');
window.location.assign(window.location.origin.toString());
}
}
</script>
<script>restart()
And then when I want to preview the article, it prompted me... And, the code won't even display. It is treated as javascript code and embeded into background.
I was a little shocked. I don't think this should be allowed in ANY way. What if I mispasted some xss code that may cause bad consequences.
Everybody be aware of this.
Current on wordpress 5.7.2, long time no update. Will do an update and test on the newest version.