Description: Remove JS upload
 CVE-2017-17092 - Remove the ability to upload JavaScript files for users who
 do not have the unfiltered_html capability
Author: johnbillion@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/42275/branches/4.7
Applied-Upstream: 4.9.2
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2017-12-09
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -2552,8 +2552,9 @@
 	if ( function_exists( 'current_user_can' ) )
 		$unfiltered = $user ? user_can( $user, 'unfiltered_html' ) : current_user_can( 'unfiltered_html' );
 
-	if ( empty( $unfiltered ) )
-		unset( $t['htm|html'] );
+	if ( empty( $unfiltered ) ) {
+		unset( $t['htm|html'], $t['js'] );
+	}
 
 	/**
 	 * Filters list of allowed mime types and file extensions.
