Description: Restrict Javascript uploads
 Remove the ability to upload JavaScript files for users who do not have
 the unfiltered_html capability.
 CVE-2017-17091
Author: johnbillion@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/42296/branches/4.1
Applied-Upstream: 4.1.21
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2018-01-06
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -2330,8 +2330,9 @@
 	if ( function_exists( 'current_user_can' ) )
 		$unfiltered = $user ? user_can( $user, 'unfiltered_html' ) : current_user_can( 'unfiltered_html' );
 
-	if ( empty( $unfiltered ) )
-		unset( $t['htm|html'] );
+	if ( empty( $unfiltered ) ) {
+		unset( $t['htm|html'], $t['js'] );
+    }
 
 	/**
 	 * Filter list of allowed mime types and file extensions.
