Support » Networking WordPress » Multisite and 3.5 (and 3.5.1) – Editor stripping code NSFW

Viewing 8 replies - 1 through 8 (of 8 total)
  • Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    In posts and widgets? I wonder if it’s the unflitered HTML thing coming back to bite you.

    Can you please elaborate?
    Agree that this may be related but how to resolve it?

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    This only happens to site administrators – not super admin

    That is correct, and this is by design. In multisite mode, only superadmins have the unfiltered_html capability.

    This is a security measure, unfiltered_html is a dangerous capability to have. If I have unfiltered_html, then I can craft a post with malicious code in it that will, for example, send me your superadmin credentials when you view my post. Essentially, unfiltered_html can lead to privilege escalation, among other things.

    So in normal single-site mode, admins and editors have it, because presumably they are trusted users. In multisite, only the super-admin is a trusted user, normal site-admins are not trusted since they may not have control over the entire multisite instance.

    Also why was the title of this post modified to be NSFW?

    So how do they add things like MailChimp forms and Google Adsense ads to their blogs?

    Also, this was not an issue before the 3.5 (3.5.1) update.

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    To answer your many questions:

    – A moderator probably noticed that the link to your site in your profile was NSFW, and so changed the post to reflect that as a warning to others who have more stringent workplace environments.

    – Generally speaking, adding code like that to posts is uncommon. Most people who want to do that sort of thing use a plugin or add it to their theme. Or, if you’re doing it in a widget, have a super-admin add it for them.

    – This was indeed broken in some previous versions, but fixed in 3.5 because, like I said above, it’s a security issue. The specific change that fixed this was made here, 8 months ago:

    Thanks for the response – not what I want to hear but it does make sense.

    This actually broke the plugins and custom post types that we’re using as well – I will reach out to the plugin developers to see if they are going to make changes to support the update.

    We have 100’s of customer blogs on our network – and now all of their ad code is going to be broken if they eer try to change it. 🙁

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Multisite and 3.5 (and 3.5.1) – Editor stripping code NSFW’ is closed to new replies.