The MU forums have moved to WordPress.org

Replacing kses to allow YouTube, Google Maps, etc. (13 posts)

  1. shacker
    Member
    Posted 16 years ago #

    Yes, there are several threads here on the security ramifications of allowing embed and iframe, various plugin suggestions, and ways to modify kses.php. Sorry for starting a new one.

    Many of us WPMU admins are in educational settings where we're not allowing the general public to sign up for blogs - we're running tightly controlled blogging environments for 20 or 30 students. Not having WPMU work like standard WP is a pain in the neck. Hopefully in the future, WPMU will include an option: "Allow WP-standard tags in posts [security warning...]" Alternatively, a WPMU plugin that allowed this would be great.

    Until that time comes, I found a simple solution that doesn't require hacking - just grab wp-includes/kses.php from a *standard* WP installation and overwrite the one in WPMU. So far, in my testing, I'm not seeing any downside to this approach except that I'll have to re-do it after each upgrade. Can anyone think of any major issues with this (again, assuming I'm happy to have the security issues be the same as for single-blog WP installs)?

    Scot

  2. bwinn
    Member
    Posted 16 years ago #

    Has anyone else tried this... I was actually looking for something similar

  3. andrewbillits
    Member
    Posted 16 years ago #

    Hiya,

    You can allow iframes (or whatever else you want) with the wpmu kses.php via a plugin. Just add to the allowed tags array.

    The filter you're looking for is 'edit_allowedposttags':
    add_filter('edit_allowedposttags', 'YOUR_FUNCTION')

    Thanks,
    Andrew

  4. shacker
    Member
    Posted 16 years ago #

    andrewbillits - Yes, that's the usual recommendation for handling this, but requires hacking around (fragile) and you never know whether you've got the FULL default capabilities of straight WP. I think this method is easier and cleaner.

    After several days of working with it, no issues at all for users. Works nicely. I'd recommend this method over hacking kses.php to most admins working with WPMU in a controlled environment.

  5. andrewbillits
    Member
    Posted 16 years ago #

      Yes, that's the usual recommendation for handling this, but requires hacking

    Since when is writing a plugin that modifies something via a filter "hacking"?

    Sure it's not much trouble to switch out the kses.php files. However, it's much easier in the long run to just write a plugin and leave it in mu-plugins.

    Thanks,
    Andrew

  6. peiqinglong
    Member
    Posted 16 years ago #

    If i added this to a theme's functions.php, would that work or does it have to be in a plugin?

  7. shacker
    Member
    Posted 16 years ago #

    @andrewbillits - I'm not saying a plugin is a hack, but that modifying files is a hack. Most of the recommendations on this forum for handling this problem refer to modifying files. And yes, my suggestion requires replacing a file rather than modifying, so that's also a hack ... but less of one.

    If I could find a plugin to handle this situation correctly, I'd use it, but nothing I tried what I wanted (one plugin to allow embed, another plugin to allow iframe, etc. etc.) If there was a plugin that would simply give MU the same posting freedom of regular MU, I'd be all over it! Can you point me to one?

  8. taiwanese
    Member
    Posted 16 years ago #

    you don't need to modify any file.
    Just as andrewbillits said, created a file in mu-plugin like

    function more_tags(&$content) {
    $content += array(
    'iframe' => array(
    'width' => array(),
    'height' => array(),
    'frameborder' => array(),
    'src' => array(),
    'frameborder' => array(),
    'marginwidth' => array(),
    'marginheight' => array(),
    )
    );
    }
    return $content;
    }
    add_filter('edit_allowedposttags', 'more_tags');
    ?>

    The above is for iframe, modify to suit your needs

  9. shacker
    Member
    Posted 16 years ago #

    Taiwanese - ah... great tip, thanks! Wonder why this kind of thing isn't a simple option in the WPMU admin - seems like it would be a very common request. Or, failing that, wonder why there isn't a standard plugin for controlling allowed tags. But I can handle creating a plugin per your example easily enough. Thanks.

  10. andrea_r
    Moderator
    Posted 16 years ago #

    It's been deemed a security risk and won't be in the code. people are welcome ot make plugins for it though, with plenty of warnings. :D

  11. nkorde
    Member
    Posted 16 years ago #

    Hi taiwanese,
    Can u put a complete version of your code for iframe. I don't know php. But i notice a stray ?> at the end. Wondering if you could specify all the details for novice admins :)

  12. jdub
    Member
    Posted 16 years ago #

    How about using the Unfiltered MU plugin?

  13. andrea_r
    Moderator
    Posted 16 years ago #

    There is a hook in the kses file if you want to create a plugin to plunk in allowed tags.

About this Topic

  • Started 16 years ago by shacker
  • Latest reply from andrea_r