What is the unfiltered_html permission in WordPress?

“unfiltered_html” is a security feature in WordPress that prevents users from using tags such as <iframe><embed> plus also more advanced code such as Javascript.

unfiltered_html could be very dangerous in the wrong hands, so please don’t give this permission to any users you don’t trust. WordPress has disabled this permission for most users because they rarely need it. For example, if you need to use embeds that WordPress doesn’t support look around for plugins such as EmbedPress.

How does the unfiltered_html permission work?

Let’s see unfiltered_html in action. In the post below, I’ve created a Paragraph block:

In the block settings, I click the “Edit as HTML” option:

Edit as HTML option for Gutenberg blocks

Now in the HTML version of the block, I enter the HTML code for an iframe:

Trying to use iframe in an HTML block in WordPress

When I try to save this post, or edit the block visually, WordPress will complain with the message: “This block contains unexpected or invalid content.”

This block contains unexpected or invalid content.

If you click “Resolve”, WordPress will try to convert the code to something safer. However, the code shown below in the “After Conversion” area will not work:

resolve unexpected or invalid content in WordPress

How to give users the unfiltered_html permission

If you use the Capability Manager Enhanced plugin, you can enable or disable this permission for each user role.

The Capability Manager Enhanced plugin for WordPress
  • Go to Permissions > Role Capabilties in your WordPress admin area.
  • In the top-right corner of the screen, load the user role that you want to customize. In this image below, I’ve chosen the “Editor” role:
Choose the Editor role in WordPress

In the center of the screen, you can now set the permissions. If you want to allow people in the Editor role to create posts, check the “unfiltered html” box. Click the blue “Save Changes” button to finish,

Giving the unfiltered html permission in WordPress

If you want to set these permissions across a multisite network, follow these instructions. On WordPress multisite networks, only Super Admins have the unfiltered_html permission.

Finally, it’s worth noting that I gave the example for unfiltered_html in a Post, but the permissions also works inside other post types, plus comments and widgets.

The technical details behind unfiltered_html

The unfiltered_html permission works by running your code through the wp_kses function. I found this to be a good guide to wp_kses.

More key WordPress permissions

Leave a Reply

Your email address will not be published. Required fields are marked *

Professional publishing plugins for WordPress! Get PublishPress

[i]
[i]