Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom HTML Block Preview doesn't respect unfiltered_html capability #38212

Open
MadtownLems opened this issue Jan 25, 2022 · 2 comments
Open

Custom HTML Block Preview doesn't respect unfiltered_html capability #38212

MadtownLems opened this issue Jan 25, 2022 · 2 comments
Labels
[Block] HTML Affects the the HTML Block Needs Technical Feedback Needs testing from a developer perspective. [Type] Bug An existing feature does not function as intended

Comments

@MadtownLems
Copy link

MadtownLems commented Jan 25, 2022
edited
Loading

Description

When a user lacks the unfiltered_html capability, they cannot use tags such as 'iframe' in their posts. A very common situation where users lack unfiltered_html is anyone but Network Administrators in a MultiSite.

However, then using a Custom HTML block, these users can still have their unfiltered_html rendered in the Preview of the block. This is, at a minimum, a poor User Experience situation because the Block Preview shows something that they front end simply won't. (It likely has security concerns as well.)

Note that while simply only rendering the filtered HTML would be an improvement, I think an even better approach would be displaying a warning alongside the preview that indicates that some content has been removed or modified.

Step-by-step reproduction instructions

  1. Be a user without 'unfiltered_html' capability. (Once again, the easiest way is probably to be anything but a Network Administrator in multisite)
  2. Add a Custom HTML block to a page or post.
  3. Add iframe markup to the Custom HTML block.
  4. Switch the block to Preview mode, and see that the iframe is rendered.

Screenshots, screen recording, code snippet

2022-01-25 09_49_13-Window

Environment info

5.8.3 MultiSite (no Gutenberg plugin installed)

Please confirm that you have searched existing issues in the repo.

Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

Yes
@annezazu annezazu added [Block] HTML Affects the the HTML Block [Type] Bug An existing feature does not function as intended Needs Technical Feedback Needs testing from a developer perspective. labels Feb 9, 2022
@bobbingwide
Copy link
Contributor

This issue was accidentally reproduced by members of WordPress Portsmouth and Brighton meetup groups while attempting to debug a problem where the iframe disappeared when edited by a normal Administrator but remained when edited by a Super Admin.

Reproduced in 6.1-RC2

@andreawetzel
Copy link

I can confirm this is still an issue on 6.5.2. It would be great if wp_kses is run at time of preview for the Custom HTML block. When a site user who doesn't have unfiltered_html capabilities adds HTML that will be filtered, they don't know that it will be removed until they preview the page or refresh the editor.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
[Block] HTML Affects the the HTML Block Needs Technical Feedback Needs testing from a developer perspective. [Type] Bug An existing feature does not function as intended
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MadtownLems @bobbingwide @andreawetzel @annezazu