WordPress.org

Ready to get started?Download WordPress

Forums

TinyMCE Advanced
[resolved] Does this plugin work on multisite installations? (7 posts)

  1. Marcelo Pedra
    Member
    Posted 1 year ago #

    Hello! I just wanted to be sure of this before installing in a multisite environment. Have anybody tested this?

    http://wordpress.org/extend/plugins/tinymce-advanced/

  2. Andrew Ozz
    WordPress Dev
    Plugin Author

    Posted 1 year ago #

    Multisite limits the HTML tags the users can use. Having this plugin and adding more advanced functionality/buttons will insert some tags or attributes that will be removed on saving.

    It is possible to allow multisite users to add these tags and attributes, but that makes the network unsafe.

  3. Marcelo Pedra
    Member
    Posted 1 year ago #

    So, in brief: this plugin it's not recommended to use in multisite environments, except if I trust the users. right?

  4. Marcelo Pedra
    Member
    Posted 7 months ago #

    Hello, I wanted to revisit this thread to ask a simple question. What elements from TinyMCE could be potentially dangerous in a multisite environment? is there any uploader for photos or attachments? What features would recommend to keep disabled even if a trust the users and even if I'm the webmasters for the entire network of websites?

    I'm asking this because I really, really, would like to use the plugin in several websites that nowadays are inside MU. So, your answers will be greatly appreciated.

  5. crdunst
    Member
    Posted 6 months ago #

    @Marcelo if it helps I can confirm that I've used this plugin on a few multisite installations without any problems.

    I think (correct me if I'm wrong Andrew) that Andrew means the plugin theoretically could allow users to embed scripts, iframes and object tags, which could compromise the whole MU installation. You should be able to mitigate this by restricting access to the plugin settings using roles though.

  6. Marcelo Pedra
    Member
    Posted 6 months ago #

    ok then. If Andrew confirm, it shouldn't be a problem. I have to multisite where I'm the webmaster and all the users are editors, contributors and guests. It shouldnt pose a problem, right? If the features to embed scripts, iframes and object tags is disabled, it cannot be used by users. Neither it can be exploited if a bot scan one of these sites and encounter it is using the plugin, right?

  7. Andrew Ozz
    WordPress Dev
    Plugin Author

    Posted 6 months ago #

    It's not much of a security concern as all content is run through kses. It's a user expectations problem: if a user enables the "media" plugin and uses it to add an <iframe>, that will be stripped on saving by kses.

    I've been working on a new major version for some time, one of the new features there is to predetermine the buttons for all sites on a network and show a minimal settings page to admins on individual sites. Then the superadmin can decide what will be available and adjust kses if needed.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags