How to Allow Unfiltered HTML to Editors on WordPress Multisite

WordPress multisite prevents everybody but super-admins from adding HTML blocks with <script> and <iframe> tags — also known as unfiltered_html capability which adds the following restrictions (enabled here). This is done for security reasons on sites where anyone could register and post content that could do nasty things with shared cookies (on subdomain and sub-directory setups).

However, most multisite setups are actually private where you trust the content creators. On non-multisite setups this capability is enabled for all users. Here is a filter to disable this limitation for all users with the editor capability, for example:

add_filter( 
	'map_meta_cap', 
	function ( $caps, $cap, $user_id ) {
		if ( 'unfiltered_html' === $cap && user_can( $user_id, 'editor' ) ) {
			return [ 'unfiltered_html' ];
		}

		return $caps;
	}, 
	10, 
	3 
);

It works by “enabling” the requested capability $cap by including it in the requested capabilities $caps for the requested action. You can change editor to any other capability. Consider if you should still honour the DISALLOW_UNFILTERED_HTML constant which should prevent all unfiltered HTML.

Note that any content edits by users without this capability will simply remove the restricted HTML so you should ensure that everyone who can edit the respective content has the necessary capability.

2 Comments

  1. Ryan Hellyer says:

    I saw this in use many years ago on a publicly accessible bbPress installation! I questioned the owner, but they were insistent that their users required unfiltered HTML, as it made their user experience better … just totally ignoring all security issues with allowing it lol.

    • Kaspars says:

      Single sites allow this for all users (as linked at the beginning of the post) so the same risk applies. Sites where anyone can register definitely shouldn’t have this enabled.

Leave a Reply