#15002 closed defect (bug) (invalid)
unfiltered_html capability is not observed when set explicitly for role
Reported by: | phlux0r | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.0.1 |
Component: | Role/Capability | Keywords: | reporter-feedback |
Focuses: | Cc: |
Description
When the unfiltered_html capability is explicitly set for a user role, WP does not observe it.
In wp-includes/capabilities.php around line 1021 the code is:
case 'unfiltered_html': // Disallow unfiltered_html for all users, even admins and super admins. if ( defined('DISALLOW_UNFILTERED_HTML') && DISALLOW_UNFILTERED_HTML ) { $caps[] = 'do_not_allow'; break; } // Fall through if not DISALLOW_UNFILTERED_HTML
My fix is to change it to:
case 'unfiltered_html': // Disallow unfiltered_html for all users, even admins and super admins. if ( defined('DISALLOW_UNFILTERED_HTML') && DISALLOW_UNFILTERED_HTML ) { $caps[] = 'do_not_allow'; break; } else { // FIX to observe the unfiltered_html capability assigned to role $caps[] = $cap; break; } // Fall through if not DISALLOW_UNFILTERED_HTML
Cheers, Robert
Change History (5)
#3
follow-up:
↓ 4
@
14 years ago
- Cc lybica added
Hi, I came across with the same issue recently.
I believe it is incorrect to fall through to the next case
block here;
currently for any multisite installation (if is_multisite()
returns true
),
non-super-admin can never have the 'unfiltered_html'
capability (pushed to $cap
).
or is there a reason behind this?
#4
in reply to:
↑ 3
;
follow-up:
↓ 5
@
14 years ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
Replying to lybica:
currently for any multisite installation (if
is_multisite()
returnstrue
),
non-super-admin can never have the'unfiltered_html'
capability (pushed to$cap
).
Correct. Only super admins are trusted with unfiltered_html in multisite.
#5
in reply to:
↑ 4
@
14 years ago
Replying to nacin:
Correct. Only super admins are trusted with unfiltered_html in multisite.
Thanks for the clarification.
@phlux0r, since this is a feature,
I ended up writing a plugin that removes the html filtering altogether by
remove_action('init', 'kses_init'); remove_action('set_current_user', 'kses_init');
for "trusted users".
You're missing an important section of the code that follows. There is no break; there. The comment specifically says it falls through:
That might as well read this:
I'm thinking you have something else going on which is why this isn't working for you.