I recently received complaints from WordPress multisite users about not being able to embed iframes for Google calendars. Upon testing, I found nothing wrong–embeds worked absolutely fine.
My users kept insisting they disappeared, though, and could prove it with screenshots.
Nothing was off about their browsers. Nothing strange was happening with plugins. They’d just create a Custom HTML block, and then paste a totally normal <iframe> embed in, like so:
<iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ" title="YouTube video player" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" width="560" height="315" frameborder="0"></iframe>
As soon as they clicked publish and left the page, poof! Gone.
It seems this was a change in security policy in Gutenberg. I’m not sure when this change happened, but if one of your multisite users (even an administrator!) wants to place iframes or a <script> tag into a Custom HTML block, WordPress will simply delete it.
This isn’t hard to change, luckily. You just need to add a filter to wp_kses_allowed_html. The best way to do this would be with a plugin. It would look like this:
<?php
/*
Plugin Name: Allow iframe Tags in Editor
Description: Allows use of iframe tags in Custom HTML block for non-super-admins.
Author: Joshua Woehlke
*/
function allow_iframes( $allowedposttags ){
$allowedposttags['iframe'] = array(
'align' => true,
'allow' => true,
'allowfullscreen' => true,
'class' => true,
'frameborder' => true,
'height' => true,
'id' => true,
'marginheight' => true,
'marginwidth' => true,
'name' => true,
'scrolling' => true,
'src' => true,
'style' => true,
'width' => true,
'allowFullScreen' => true,
'class' => true,
'frameborder' => true,
'height' => true,
'mozallowfullscreen' => true,
'src' => true,
'title' => true,
'webkitAllowFullScreen' => true,
'width' => true
);
return $allowedposttags;
}
add_filter( 'wp_kses_allowed_html', allow_iframes, 1 );
?>
If you want <script> tags available, you’d do the same thing for $allowedposttags['script'] within that same filter.
I won’t be uploading this to the official WP plugin directory because, per the developer expectations, all code “should be made as secure as possible.” I understand this can be interpreted in different ways, but we’re literally removing a security feature WordPress chose to implement, so…
You can clone this from github into your plugins folder, or download the .zip.
