I curiously played with my test WordPress 3.1 Release Candidate 4 multi-site installation. This problem with using ‘unfiltered_html’ capability still exists in it. I decided to make special post about that as it could be interesting someone else. I tried to insert mordern HTML5 tag ‘<video>’ into post without success – it was removed by WordPress every time I saved the post changes inspite of I made that under account with ‘Editor’ role privileges. ‘Editor’ role has ‘unfiltered_html’ capability turned on by default. What is the reason? Why this capability failed to work?
I traced WordPress code execution with my favorite Netbeanse for PHP IDE and found in ‘wp-includes/capabilities.php’ file function map_meta_cap() with this piece of code :
977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 | // Fall through if not DISALLOW_FILE_MODS. case 'unfiltered_html': // Disallow unfiltered_html for all users, even admins and super admins. if ( defined('DISALLOW_UNFILTERED_HTML') && DISALLOW_UNFILTERED_HTML ) { $caps[] = 'do_not_allow'; break; } // Fall through if not DISALLOW_UNFILTERED_HTML case 'delete_user': case 'delete_users': // If multisite these caps are allowed only for super admins. if ( is_multisite() && !is_super_admin( $user_id ) ) { $caps[] = 'do_not_allow'; } else { if ( 'delete_user' == $cap ) $cap = 'delete_users'; $caps[] = $cap; } break; |
Thus, function map_meta_cap() at the capabilities.php always returns ‘do_not_allow’ for the ‘unfiltered_html’ if you are not the superadmin in the multi-site environment.
This way WordPress developers decided to prohibit “unfiltered_html” globally and allow that for the superadmin user only in the multi-site environment.
So we can consider this capability as deprecated for the WordPress multi-site.
In most cases you trust to your editors. Why not allow to your editors to use arbitrary HTML tags in the posts?
The direct step – just remove kses filters for the user with ‘Editor’ role, inserting call of
kses_remove_filters();
function from kses.php file into site theme functions.php file, doesn’t give the desired result. As I see WordPress calls kses_init() function in the different places and not one time, and probably override my kses filters remove try :). I did not make more deep research yet.
May be you found some applicable workaround for that? Share please your experience with others.
Tags: capability, Security, User Role, WordPress