WordPress.org

Make WordPress Core

Opened 5 years ago

Last modified 5 months ago

#29359 new defect (bug)

No error message is displayed when a user with an Admin role tries to publish code on Multisite

Reported by: lachlanj Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Editor Keywords:
Focuses: multisite Cc:
PR Number:

Description

If you are a user with an editor role you do not have capability to publish script tags in the post editor or within a text widget. When you post script tags into a post and click publish, the code is striped with a "Page updated. view page" message.

An error message should be displayed explaining that you do not have sufficient privileges to publish script tags in a post and the code has been removed from the post.

Change History (7)

#1 follow-up: @stephdau
5 years ago

I can't seem to be able to reproduce this under trunk (as r29627). Switching from the text to WYSIWYG editor mode and back even wraps the script in a CDATA block. :)

Editors can post JS code in the editor. They also do not have access to widgets (in Appearance or Customizer).

Posts (and user level): https://cloudup.com/c6KZij6SBrL
Pages: https://cloudup.com/cPzuHb_-0vW

#2 in reply to: ↑ 1 ; follow-up: @SergeyBiryukov
5 years ago

  • Focuses multisite added

Replying to stephdau:

Editors can post JS code in the editor.

Not in multisite, see #29378.

#3 follow-up: @lachlanj
5 years ago

  • Summary changed from No error message is displayed when a user with an editor role tries to publish code to No error message is displayed when a user with an Admin role tries to publish code on Multisite

Apologies, it looks like I messed this ticket up. It was meant to be for multisite, and the error happens for Admins as well as Editors (which was why I mentioned widgets). I believe only Super Admins can paste script tags into the editor and publish.

#4 in reply to: ↑ 3 @Ipstenu
5 years ago

Replying to lachlanj:

I believe only Super Admins can paste script tags into the editor and publish.

That's correct. Only Super Admins can paste unfiltered content for the sanity of a Network :) There are ways around it, but given how horribly dangerous that can be on an open Multisite, it's safer to take away that ability.

That said, should there be an error or a 'Your code was stripped, yarrrr' message to tell them?

#5 in reply to: ↑ 2 @stephdau
5 years ago

Replying to SergeyBiryukov:

Not in multisite, see #29378.

Oh, duh. Sorry, my bad. :)

#6 @lachlanj
5 years ago

I think there should be an message displayed.

From a novice users point of view, it can be confusing as to why your content is being removed. If you are a "hacker" trying to insert malicious code I'm sure you are well aware of why they code has been removed so it seems like there is more upside to adding a message than not?

#7 @chriscct7
4 years ago

  • Keywords needs-patch added

Needs patch for comment:4

Note: See TracTickets for help on using tickets.