WordPress MultiSite is stripping out javascript forms from pages

  • tate-ramingham

    (@tate-ramingham)


    10 years ago

    Hello,

    A client of mine is running into issues with being able to add javascript for embedding Jotform forms to their network of sites.

    Specifically the issue has started happening when two employees (one administrator level and the other editor level) try to edit or modify pages that have the form javascript on the page. Even if they aren’t changing that javascript when they update the page, the script is removed.

    Also, they can’t add the javascript form to a page and publish it or update it. The javascript just disappears.

    We don’t have this issue with the boss’s user account or mine (super admins) but we used to not have this problem at all. I also find it a little excessive and over the top to have to make every employee a super admin just so they can do standard website management tasks such as updating pages.

    Any ideas?

Viewing 4 replies - 1 through 4 (of 4 total)
  • David Sader

    (@dsader)

    10 years ago

    In Multisite, you need the KSES filter to kick out the evil stuff malicious n’erdowells can dream up.

    Remember, all DB tables can be altered – wiped – from any unfiltered form, all the server’s file directories are also accessible and unlink-able from any content form as well.

    You may as well give everyone SuperAdmin powers if you plan on disabling the kses filter for all users.

    So I offer you this, write your own kses filter plugin and add the tags you wish.

    Are you sure you know what damage unfiltering any tags could potentially do to your multisite?

    https://codex.wordpress.org/Function_Reference/wp_kses
    http://wordpress.org/support/topic/can-wordpress-support-pictures-inside-comments?replies=17

    A safer way would be to rethink your java embed via shortcode.

    Examples: http://codex.wordpress.org/Embed_Shortcode

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    10 years ago

    You may as well give everyone SuperAdmin powers if you plan on disabling the kses filter for all users.

    PLEASE DO NOT DO THIS!

    Sorry, I know David was trying to point out the insecurity of letting people insert whatver they want, but if someone reads this and thinks it’s a good idea to give everyone super admin advice, IT’S NOT GOOD ADVICE AND THAT IS NOT WHAT DAVID MEANS!

    *whew*

    Anyway. It’s for security, there is a plugin to allow them to enter js and iframes, though as David noted, it’s not very smart. I will note, it’s safer than actually making everyone and their monkey a super admin, but that’s along the viewpoint of it’s safer to give a toddler a steak knife than a pocket knife.

    David Sader

    (@dsader)

    10 years ago

    lol, I forget that sarcasm may be lost in translation. You have made it clear.

    Thread Starter tate-ramingham

    (@tate-ramingham)

    10 years ago

    Thanks for the feedback David and Mika. I’ve been pushing this client to allow me to migrate their forms to Gravity forms so that it all runs nicely inside WordPress and everything gets along. But no luck yet.

    I’ll look into the embed via shortcode method.

    Thanks again!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘WordPress MultiSite is stripping out javascript forms from pages’ is closed to new replies.