WordPress multisite prevents everybody but super-admins from adding HTML blocks with <script>
and <iframe>
tags — also known as unfiltered_html
capability which adds the following restrictions (enabled here). This is done for security reasons on sites where anyone could register and post content that could do nasty things with shared cookies (on subdomain and sub-directory setups).
However, most multisite setups are actually private where you trust the content creators. On non-multisite setups this capability is enabled for all users. Here is a filter to disable this limitation for all users with the editor
capability, for example:
add_filter(
'map_meta_cap',
function ( $caps, $cap, $user_id ) {
if ( 'unfiltered_html' === $cap && user_can( $user_id, 'editor' ) ) {
return [ 'unfiltered_html' ];
}
return $caps;
},
10,
3
);
It works by “enabling” the requested capability $cap
by including it in the requested capabilities $caps
for the requested action. You can change editor
to any other capability. Consider if you should still honour the DISALLOW_UNFILTERED_HTML
constant which should prevent all unfiltered HTML.
Note that any content edits by users without this capability will simply remove the restricted HTML so you should ensure that everyone who can edit the respective content has the necessary capability.
I saw this in use many years ago on a publicly accessible bbPress installation! I questioned the owner, but they were insistent that their users required unfiltered HTML, as it made their user experience better … just totally ignoring all security issues with allowing it lol.
Single sites allow this for all users (as linked at the beginning of the post) so the same risk applies. Sites where anyone can register definitely shouldn’t have this enabled.