WordPress MU

Yes, there are several threads here on the security ramifications of allowing embed and iframe, various plugin suggestions, and ways to modify kses.php. Sorry for starting a new one.

Many of us WPMU admins are in educational settings where we're not allowing the general public to sign up for blogs - we're running tightly controlled blogging environments for 20 or 30 students. Not having WPMU work like standard WP is a pain in the neck. Hopefully in the future, WPMU will include an option: "Allow WP-standard tags in posts [security warning...]" Alternatively, a WPMU plugin that allowed this would be great.

Until that time comes, I found a simple solution that doesn't require hacking - just grab wp-includes/kses.php from a *standard* WP installation and overwrite the one in WPMU. So far, in my testing, I'm not seeing any downside to this approach except that I'll have to re-do it after each upgrade. Can anyone think of any major issues with this (again, assuming I'm happy to have the security issues be the same as for single-blog WP installs)?

Scot

Has anyone else tried this... I was actually looking for something similar

Hiya,

You can allow iframes (or whatever else you want) with the wpmu kses.php via a plugin. Just add to the allowed tags array.

The filter you're looking for is 'edit_allowedposttags':
add_filter('edit_allowedposttags', 'YOUR_FUNCTION')

Thanks,
Andrew

andrewbillits - Yes, that's the usual recommendation for handling this, but requires hacking around (fragile) and you never know whether you've got the FULL default capabilities of straight WP. I think this method is easier and cleaner.

After several days of working with it, no issues at all for users. Works nicely. I'd recommend this method over hacking kses.php to most admins working with WPMU in a controlled environment.

Yes, that's the usual recommendation for handling this, but requires hacking

Since when is writing a plugin that modifies something via a filter "hacking"?

Sure it's not much trouble to switch out the kses.php files. However, it's much easier in the long run to just write a plugin and leave it in mu-plugins.

Thanks,
Andrew

If i added this to a theme's functions.php, would that work or does it have to be in a plugin?

@andrewbillits - I'm not saying a plugin is a hack, but that modifying files is a hack. Most of the recommendations on this forum for handling this problem refer to modifying files. And yes, my suggestion requires replacing a file rather than modifying, so that's also a hack ... but less of one.

If I could find a plugin to handle this situation correctly, I'd use it, but nothing I tried what I wanted (one plugin to allow embed, another plugin to allow iframe, etc. etc.) If there was a plugin that would simply give MU the same posting freedom of regular MU, I'd be all over it! Can you point me to one?

you don't need to modify any file.
Just as andrewbillits said, created a file in mu-plugin like

function more_tags(&$content) {
$content += array(
'iframe' => array(
'width' => array(),
'height' => array(),
'frameborder' => array(),
'src' => array(),
'frameborder' => array(),
'marginwidth' => array(),
'marginheight' => array(),
)
);
}
return $content;
}
add_filter('edit_allowedposttags', 'more_tags');
?>

The above is for iframe, modify to suit your needs

Taiwanese - ah... great tip, thanks! Wonder why this kind of thing isn't a simple option in the WPMU admin - seems like it would be a very common request. Or, failing that, wonder why there isn't a standard plugin for controlling allowed tags. But I can handle creating a plugin per your example easily enough. Thanks.

It's been deemed a security risk and won't be in the code. people are welcome ot make plugins for it though, with plenty of warnings. :D

Hi taiwanese,
Can u put a complete version of your code for iframe. I don't know php. But i notice a stray ?> at the end. Wondering if you could specify all the details for novice admins :)

How about using the Unfiltered MU plugin?

There is a hook in the kses file if you want to create a plugin to plunk in allowed tags.