How does wordpress allow posting of code via textarea

I recently asked a question about LA开发者_StackOverflow社区MP stack not allowing posting of <script> tag via textarea, the request is killed by the apache i guess as the $_POST, $_GET and $_REQUEST fields are all empty.

I was just wondering how does wordpress allow users to add widgets, updated template files and create pages using a textarea control that allows <script> tag.

UPDATE I've created a pastebin entry for the form here: http://pastebin.com/1Jaz9rRz

Basically it is an auto generated form, I've copy pasted from the source code.

UPDATE

I've moved the code for testing to the server here: http://www.007softwares.com/testing.php

The form is being posted to itself, i've echoed the $_REQUEST array to see what was posted. You can see when you just submit the form, fields are visible and when you type script tag the error page appears. Hope this helps.

This is quite certainly some misguided security mechanism either in your browser, or (more likely) on the server.

As said, check Suhosin out using phpinfo():

<?php phpinfo(); ?>

You should see some mention of the word "Suhosin" or "Hardened PHP" in the resulting output.

Also I wouldn't rule out mod_security - the errors you say you got when adding the lines disabling it in .htaccess might have some other reason. It could for example be configured that it's impossible to turn off through .htaccess.

Ask your web host whether they have anything enabled security-wise that might be causing this.

The LAMP stack doesn't care what text is submitted via a TEXTAREA. The script/app that receives the form input may have some logic in it which kills the process if it sees a SCRIPT tag but in general you can submit whatever text you want.

Your phpinfo() says that string.strip_tags is registered as a stream filter. This might be causing your issue.

Also, your filter extension may be configured to strip although that isn't as likely.

When the user submits a < p > tag it works as expected. When the user submits a < script > tag a 404 is returned. This leads me to believe apache is using mod_security with a configuration similar to:

SecFilterDefaultAction "deny,log,status:404"
SecFilter "<script"