Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#56726 closed feature request (wontfix)

Editor can't save <script> tag in post content

Reported by: yauheninikifarau's profile yauheninikifarau Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Maybe we can add some flexibility in this rule and add any checkbox to switch off such limitation for editors.

Change History (1)

#1 @peterwilsoncc
2 years ago

  • Component changed from Editor to Security
  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Hi @yauheninikifarau and welcome to trac.

On a standard WordPress install, both Editors and Administrators are permitted to post <script> tags as they have permission to post unfiltered HTML. See the unfiltered_html capability detailed in the roles and capabilities documentation.

It is possible for plugins or a setting in wp-config.php to prevent these users from posting unfiltered HTML.

On a Multisite install, only super-admins can post unfiltered HTML. Again, there are plugins that will allow users with lower permissions (such as editors and administrators of sub-sites) to post any tags they wish.

For Multisite installs, there are security reasons that the editors and administrators aren't permitted to post unfiltered HTML by default so adding an option to do so is not something the team is able to do. It remains plugin territory.

If you are seeing this on a standard/single site install, you may wish to review your plugins or settings to see why editors are unable to use unfiltered HTML.

As the current settings are considered an acceptable compromise and already configurable via wp-config or plugins, I am going to close this ticket as wont fix.

Note: See TracTickets for help on using tickets.