Among WordPress' capabilities are unfiltered_html and unfiltered_upload, however I have yet to find any documentation about what specifically they allow or prevent in their filtering.
The only mention I've found on WordPress' site about unfiltered_html is:
Allows user to post HTML markup or even JavaScript code in pages, posts, comments and widgets.
I've seen that JavaScript is filtered out for non-admins, but what HTML is being filtered?
And for unfiltered_upload:
This capability is not available to any role by default (including Super Admins). The capability needs to be enabled by defining the following constant:
define( 'ALLOW_UNFILTERED_UPLOADS', true );With this constant defined, all roles on a single site install can be given the unfiltered_upload capability, but only Super Admins can be given the capability on a Multisite install.
And again, the description doesn't spell out what's permitted and what's filtered out.
Can someone tell me exactly what elements, code, or file types the unfiltered_html and unfiltered_upload capabilities allow or prevent?
Among WordPress' capabilities are unfiltered_html and unfiltered_upload, however I have yet to find any documentation about what specifically they allow or prevent in their filtering.
The only mention I've found on WordPress' site about unfiltered_html is:
Allows user to post HTML markup or even JavaScript code in pages, posts, comments and widgets.
I've seen that JavaScript is filtered out for non-admins, but what HTML is being filtered?
And for unfiltered_upload:
This capability is not available to any role by default (including Super Admins). The capability needs to be enabled by defining the following constant:
define( 'ALLOW_UNFILTERED_UPLOADS', true );With this constant defined, all roles on a single site install can be given the unfiltered_upload capability, but only Super Admins can be given the capability on a Multisite install.
And again, the description doesn't spell out what's permitted and what's filtered out.
Can someone tell me exactly what elements, code, or file types the unfiltered_html and unfiltered_upload capabilities allow or prevent?
- Note that allowing unfiltered HTML to anybody is practically same as granting them full administrative access to all accounts. This is because unfiltered HTML can be used to implement XSS attack which can be used to take over any session. – Mikko Rantalainen Commented Mar 17, 2021 at 15:51
3 Answers
Reset to default 8It is hard to come up with precise answer since capabilities are often used more broadly than they imply. For example check for manage_options is usually synonym to check for admin user and can come up in contexts that don't actually have much to do with options.
Usually it will be a difference between subject content passing or not passing through wp_kses(). Specific kses settings and what is considered allowed would depend on the context and might wary.
For unfiltered_upload as far as I remember it's more straightforward. Without it only white listed file types are allowed. The list is based on wp_get_mime_types().
I appreciate this is an old thread, but restricted unfiltered_html was causing us huge problems on our news site.
The in-house writers (a special class of user) are required to place photos and videos in their story. While photos are not a problem, embedding iframe's into the page with the video code embedded saw the embedded code vanish when they saved their stories.
If the video was embedded for them by an editor the writers would still lose the iframe when they saved their stories.
By unblocking unfiltered_html our staff writers can embed the video content and lay up their post properly.
As for unfiltered_uploads, I belie that has been answered.
Hope this helps someone.
unfiltered_html in network
These capabilities block the possibility for all users except super admins to insert JavaScript iframe code etc. in WordPress pages or posts and if one of them(admin, editor ECC) edits a page with an active iframe or JS it is removed.
To give administrators the possibility to add such codes, these abilities must be enabled and to do so you can use this plugin
https://wordpress/plugins/unfiltered-mu/