[wp-hackers] iframe question

Scot Hacker shacker at birdhouse.org
Thu Jan 29 02:11:47 GMT 2009

I've got a lot of users on a lot of blogs going through "Why is my  
google map not working?" problem when using the visual editor. These  
are users for whom disabling the visual editor permanently is not a  
realistic option.

I understand that iframes are considered insecure. And yet if you turn  
off the visual editor, you can insert iframes into posts without  
trouble, because iframes are disabled at the tinymce layer, not at the  
wordpress layer. If you edit tiny_mce_config.php, you can enable  
iframe support in tinymce too, apparently without causing formatting  

So apparently WP itself doesn't take the insecurity of iframes  
seriously, since it allows an easy workaround. And it seems like  
tinymce doesn't have an inherent formatting problem with iframes,  
since you can work around that too.

So why are iframes disabled by default in tinymce? For now I'm editing  
a lot of tiny_mce_config.php files, but don't like hacking core all  
over the place. Can't this option just be made into a setting on the  
Writing or Misc settings pages?


More information about the wp-hackers mailing list