How to Use unfiltered_html on WordPress Multisite Networks

WordPress multisite networks don't always follow the same rules as regular WordPress sites. User roles and capabilities are very different on multisite networks.

One significant difference is the behavior of the unfiltered_html capability. This is a security feature in WordPress that prevents users from using tags such as <iframe> and <embed>, plus also more advanced code such as Javascript.

On a Multisite network only users in the Super Admin role have this unfiltered_html capability. This can create a lot of issues for users who need to add or edit any content with iframes or embeds.

If you're a developer, this happens because WordPress has a global override for the method map_meta_cap() in the wp-includes/capabilities.php file. This ignores the unfiltered_html capability in a multisite install if the user is not a Super Admin.

The code is in Line 425 of the wp-includes/capabilities.php file.

Here are two ways you can solve the problem. Both of these are code snippets that you can add to your theme's functions.php file:

// Remove KSES if user has unfiltered_html cap
function umc_custom_kses_init() {
    if ( current_user_can( 'unfiltered_html' ) ) {
		kses_remove_filters();
    }
}
add_action( 'init', 'umc_custom_kses_init', 11 );
add_action( 'set_current_user', 'umc_custom_kses_init', 11 );

This code snippet will also work:

function multisite_restore_unfiltered_html($caps, $cap, $user_id, $args ) {
    if ( 'unfiltered_html' === $cap && user_can( $user_id, 'unfiltered_html' ) )  {
        $caps = array( 'unfiltered_html' );
    }

    return $caps;
}
add_filter( 'map_meta_cap', 'multisite_restore_unfiltered_html', 1, 4 );

Leave a Reply

Your email address will not be published. Required fields are marked *