[wp-hackers] iframe question
Casey Bisson
casey.bisson at gmail.com
Thu Jan 29 03:47:01 GMT 2009
WP takes it more seriously than you suggest. Iframes are filtered by
kses even when TinyMCE is disabled, but only for those who don't have
the unfiltered_html capability attached to their role (which means
admins can add iframes but authors can't, by default).
http://trac.wordpress.org/browser/trunk/wp-includes/kses.php#L44
http://codex.wordpress.org/Roles_and_Capabilities#unfiltered_html
--Casey
http://maisonbisson.com
http://about.scriblio.net
On Jan 28, 2009, at 9:11 PM, Scot Hacker wrote:
> I've got a lot of users on a lot of blogs going through "Why is my
> google map not working?" problem when using the visual editor. These
> are users for whom disabling the visual editor permanently is not a
> realistic option.
>
> I understand that iframes are considered insecure. And yet if you
> turn off the visual editor, you can insert iframes into posts
> without trouble, because iframes are disabled at the tinymce layer,
> not at the wordpress layer. If you edit tiny_mce_config.php, you can
> enable iframe support in tinymce too, apparently without causing
> formatting problems.
>
> So apparently WP itself doesn't take the insecurity of iframes
> seriously, since it allows an easy workaround. And it seems like
> tinymce doesn't have an inherent formatting problem with iframes,
> since you can work around that too.
>
> So why are iframes disabled by default in tinymce? For now I'm
> editing a lot of tiny_mce_config.php files, but don't like hacking
> core all over the place. Can't this option just be made into a
> setting on the Writing or Misc settings pages?
>
> Thanks,
> Scot
>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list