diff --git a/e107_admin/prefs.php b/e107_admin/prefs.php
index 342c1b057..612afead8 100644
--- a/e107_admin/prefs.php
+++ b/e107_admin/prefs.php
@@ -1210,9 +1210,7 @@ if ($savePrefs) $core_pref->setPref($pref)->save(false, true);
 					<tr>
 						<td><label for='post-script'>".PRFLAN_215.":</label></td>
 						<td>
-							".//r_userclass('post_script',$pref['post_script'],'off','nobody,member,admin,main,classes')
-							$e_userclass->uc_dropdown('post_script',$pref['post_script'],'off','nobody,admin,main,classes,no-excludes')
-							."
+							".$e_userclass->uc_dropdown('post_script',$pref['post_script'],'nobody,admin,main,classes,no-excludes')."
 							<div class='smalltext field-help'>".PRFLAN_216."</div>
 						</td>
 					</tr>
diff --git a/e107_admin/update_routines.php b/e107_admin/update_routines.php
index 545c9941f..3ba070748 100644
--- a/e107_admin/update_routines.php
+++ b/e107_admin/update_routines.php
@@ -584,12 +584,25 @@ function update_core_database($type = '')
 		}
 
 
-		//todo add check for post_html pref value. 
+		// Make sure, that the pref "post_script" contains one of the allowed userclasses
+		// Close possible security hole
+		if (!array_key_exists(e107::getPref('post_script'), e107::getUserClass()->uc_required_class_list('nobody,admin,main,classes,no-excludes', true)))
+		{
+			if ($just_check)
+			{
+				return update_needed("Pref 'Class which can post < script > and similar tags' contains an invalid value"); // NO LAN.
+			}
+			else
+			{
+				e107::getConfig()->setPref('post_script', 255)->save(false, true);
+			}
+		}
 
 
 		return $just_check;
 
 
+
 	}