[resolved] Multisite and 3.5 (and 3.5.1) - Editor stripping code NSFW (9 posts)

  1. Dan & Jennifer
    Posted 3 years ago #

    Hi there.

    I'm seeing and issue that I'm not sure how to resolve.

    In our multisite, the super admin can create posts with no issues.

    But, Site Administrators cannot - the code is being mangled.
    This includes code for Google Adsense Ads, MailChimp Forms, etc.

    For example, If I paste in the following Google Adsense code, the code in the red box is being stripped off when I save the post. (This only happens to site administrators - not super admin)

    The same thing happens with MailChimp Code.

    Here's a screencast of exactly what happens:

    Please help!

  2. In posts and widgets? I wonder if it's the unflitered HTML thing coming back to bite you.

  3. Dan & Jennifer
    Posted 3 years ago #

    Can you please elaborate?
    Agree that this may be related but how to resolve it?

  4. This only happens to site administrators - not super admin

    That is correct, and this is by design. In multisite mode, only superadmins have the unfiltered_html capability.

    This is a security measure, unfiltered_html is a dangerous capability to have. If I have unfiltered_html, then I can craft a post with malicious code in it that will, for example, send me your superadmin credentials when you view my post. Essentially, unfiltered_html can lead to privilege escalation, among other things.

    So in normal single-site mode, admins and editors have it, because presumably they are trusted users. In multisite, only the super-admin is a trusted user, normal site-admins are not trusted since they may not have control over the entire multisite instance.

  5. Dan & Jennifer
    Posted 3 years ago #

    Also why was the title of this post modified to be NSFW?

  6. Dan & Jennifer
    Posted 3 years ago #

    So how do they add things like MailChimp forms and Google Adsense ads to their blogs?

  7. Dan & Jennifer
    Posted 3 years ago #

    Also, this was not an issue before the 3.5 (3.5.1) update.

  8. To answer your many questions:

    - A moderator probably noticed that the link to your site in your profile was NSFW, and so changed the post to reflect that as a warning to others who have more stringent workplace environments.

    - Generally speaking, adding code like that to posts is uncommon. Most people who want to do that sort of thing use a plugin or add it to their theme. Or, if you're doing it in a widget, have a super-admin add it for them.

    - This was indeed broken in some previous versions, but fixed in 3.5 because, like I said above, it's a security issue. The specific change that fixed this was made here, 8 months ago: http://core.trac.wordpress.org/changeset/21152

  9. Dan & Jennifer
    Posted 3 years ago #

    Thanks for the response - not what I want to hear but it does make sense.

    This actually broke the plugins and custom post types that we're using as well - I will reach out to the plugin developers to see if they are going to make changes to support the update.

    We have 100's of customer blogs on our network - and now all of their ad code is going to be broken if they eer try to change it. :-(

Topic Closed

This topic has been closed to new replies.

About this Topic