unfiltered_html capability is not observed when set explicitly for role

[phlux0r]

When the unfiltered_html capability is explicitly set for a user role, WP does not observe it.

In wp-includes/capabilities.php around line 1021 the code is:

        case 'unfiltered_html':
                // Disallow unfiltered_html for all users, even admins and super admins.
                if ( defined('DISALLOW_UNFILTERED_HTML') && DISALLOW_UNFILTERED_HTML ) {
                        $caps[] = 'do_not_allow';
                        break;
                }
                // Fall through if not DISALLOW_UNFILTERED_HTML

My fix is to change it to:

        case 'unfiltered_html':
                // Disallow unfiltered_html for all users, even admins and super admins.
                if ( defined('DISALLOW_UNFILTERED_HTML') && DISALLOW_UNFILTERED_HTML ) {
                        $caps[] = 'do_not_allow';
                        break;
                } else { // FIX to observe the unfiltered_html capability assigned to role
                        $caps[] = $cap;
                        break;
                }
                // Fall through if not DISALLOW_UNFILTERED_HTML

Cheers, Robert

[nacin]

You're missing an important section of the code that follows. There is no break; there. The comment specifically says it falls through:

	case 'unfiltered_html':
		// Disallow unfiltered_html for all users, even admins and super admins.
		if ( defined('DISALLOW_UNFILTERED_HTML') && DISALLOW_UNFILTERED_HTML ) {
			$caps[] = 'do_not_allow';
			break;
		}
		// Fall through if not DISALLOW_UNFILTERED_HTML
	case 'delete_user':
	case 'delete_users':
		// If multisite these caps are allowed only for super admins.
		if ( is_multisite() && !is_super_admin() )
			$caps[] = 'do_not_allow';
		else
			$caps[] = $cap;
		break;

That might as well read this:

	case 'unfiltered_html':
		// Disallow unfiltered_html for all users, even admins and super admins.
		if ( defined('DISALLOW_UNFILTERED_HTML') && DISALLOW_UNFILTERED_HTML ) {
			$caps[] = 'do_not_allow';
			break;
		}
		// If multisite these caps are allowed only for super admins.
		if ( is_multisite() && !is_super_admin() )
			$caps[] = 'do_not_allow';
		else
			$caps[] = $cap;
		break;

I'm thinking you have something else going on which is why this isn't working for you.

[lybica]

Hi, I came across with the same issue recently.

I believe it is incorrect to fall through to the next case block here;
currently for any multisite installation (if is_multisite() returns true),
non-super-admin can never have the 'unfiltered_html' capability (pushed to $cap).

or is there a reason behind this?

[nacin]

Replying to lybica:

currently for any multisite installation (if is_multisite() returns true),
non-super-admin can never have the 'unfiltered_html' capability (pushed to $cap).

Correct. Only super admins are trusted with unfiltered_html in multisite.

[lybica]

Replying to nacin:

Correct. Only super admins are trusted with unfiltered_html in multisite.

Thanks for the clarification.

@phlux0r, since this is a feature,
I ended up writing a plugin that removes the html filtering altogether by

remove_action('init', 'kses_init');
remove_action('set_current_user', 'kses_init');

for "trusted users".