WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Multisite Security Question (5 posts)

  1. kirkward
    Member
    Posted 1 year ago #

    I am developing a WordPress Multisite Network, and am coding a plugin that copies posts from the main blog to the client blog. I use the wp_insert_post function to update a target post on the client blog with the content of a selected post from the main blog (blog 1).

    During development, we discovered that the layout of the target posts on the client blog was breaking when the site admin ran the plugin, but not when the super admin visited the client blog and ran the plugin.

    This was a problem and we looked for a solution for two or three weeks. I had three coders and myself looking to see if we could find any fault with the code. We couldn't find anything.

    Luckily, a coder I used previously connected with me, and I was able to ask him if he had any ideas. After looking at it for several hours, he admitted it was one of the strangest problems he had ever seen. He told me to go on to bed, and he would find the problem.

    The next morning, there was a message on Skype for me to change most of my html to css to solve the problem. I did, it does.

    I went back and read the codex page for the wp_insert_post function very carefully, and did not see anything explicitly explaining why this was happening. But, because it does say that anything created using the wp_insert_post function is run through kses, all I can assume is that the kses security is not applied if the user is the super admin.

    Can anyone verify that, or explain it a bit more?

  2. Can you possibly put your plugin up on something like Github for us to look at? :) I'm not 100% sure, but if it's running through kses, then the Super-Admin has more power as to what can be posted than the normal site-admins.

    HTML is filtered, so id, div, script, and other non-normal HTML tags are restricted on a Multisite.

  3. kirkward
    Member
    Posted 1 year ago #

    I don't know how to put things on Github ... I don't even understand it.

    What I can describe is the general flow of things.

    What we do is have a selectbox collect all the posts in a particular category on the main blog. The code switches the user to that blog, gets the post as an array, and returns to the target or client blog, then inserts the post into an existing post (so we can retain the existing slug).

    Pretty much that's the flow. I could post the code here, but it is pretty much all WordPress functions, else I couldn't have gotten as far as I did, cause at my stage of old geezerhood, I can only code using the CPET system (Copy, Paste, Edit and Try).

    I think you basically confirmed what we ran into, as the things we were running into losing when the site adfmin ran the script were background URL's and alignment and other things like that in certain div's and id's.

    Thanks for the feedback.

  4. I think you basically confirmed what we ran into, as the things we were running into losing when the site adfmin ran the script were background URL's and alignment and other things like that in certain div's and id's.

    Yeah, that'd be the kses filter :) You can turn it off, but it's a bit dangerous, which is why I was wondering what your code was doing.

  5. kirkward
    Member
    Posted 1 year ago #

    I'll be leaving it, as I want the posts to be run through kses. I'm not a security expert, but methinks that the kses is a good start.

    Thanks for your time.

Topic Closed

This topic has been closed to new replies.

About this Topic