[wp-hackers] iframe question

Casey Bisson casey.bisson at gmail.com
Thu Jan 29 03:47:01 GMT 2009

WP takes it more seriously than you suggest. Iframes are filtered by  
kses even when TinyMCE is disabled, but only for those who don't have  
the unfiltered_html capability attached to their role (which means  
admins can add iframes but authors can't, by default).




On Jan 28, 2009, at 9:11 PM, Scot Hacker wrote:

> I've got a lot of users on a lot of blogs going through "Why is my  
> google map not working?" problem when using the visual editor. These  
> are users for whom disabling the visual editor permanently is not a  
> realistic option.
> I understand that iframes are considered insecure. And yet if you  
> turn off the visual editor, you can insert iframes into posts  
> without trouble, because iframes are disabled at the tinymce layer,  
> not at the wordpress layer. If you edit tiny_mce_config.php, you can  
> enable iframe support in tinymce too, apparently without causing  
> formatting problems.
> So apparently WP itself doesn't take the insecurity of iframes  
> seriously, since it allows an easy workaround. And it seems like  
> tinymce doesn't have an inherent formatting problem with iframes,  
> since you can work around that too.
> So why are iframes disabled by default in tinymce? For now I'm  
> editing a lot of tiny_mce_config.php files, but don't like hacking  
> core all over the place. Can't this option just be made into a  
> setting on the Writing or Misc settings pages?
> Thanks,
> Scot
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list