I’m planning to follow this tutorial in order to allow my subscribers to add images to comments (actually a custom post type called “Replies”).
WordPress filters <img> tags by default (except for the admin).
Will my WordPress site be vulnerable to Cross-Site Scripting (XSS) if I allow img HTML tags in my comment section?
Many evil things can be done by including an image. The question is how well WordPress filters them. To give you an idea:
properly.
javascript.
javascript.