WiscWeb - WordPress UW Theme - WiscWeb Embed Code Policy

The following document outlines WiscWeb's current policy regarding embedded code use.

Important Note About Terminology

This document uses some terminology that is may not be understood by all. If there are any terms you do not recognize, please refer to our Terminology doc for more information.

As of 2019, WiscWeb sites will not inherit the ability to embed code or inline HTML for display in a Text Block. This decision was made to align our service more closely with WordPress standards for security.

The current WiscWeb policy is that new sites will not have the ability to embed content in the WYSIWYG. This is to prevent the entire multi-site network from XSS attacks that could break pages or sites.

Background

In WordPress multi-site networks, like the one we use for WiscWeb, only the SuperAdmin role is able to include unfiltered HTML. This was a change that WordPress rolled out in version 2.0 to prevent users from posting malicious or poorly formatted code. WiscWeb did not initially inherit this change because our pages are built using ACF page builder technology. ACF did not align with this standard until version 5.7.9.

ACF was updated (to version 5.7.9) in the UW Theme in January 2019. At this time, the unfiltered HTML rule that was already in place for WordPress was unknowingly introduced to all WiscWeb sites. It prevented the use of embed code in the WYSIWYG for all roles other than SuperAdmins. As only WiscWeb staff are designated as SuperAdmins, this meant that all other users lost this capability at this time.

To accommodate sites that had previously always had this option available, WiscWeb implemented a short term fix via a custom plugin. This plugin allowed for the use of embed code in the WYSIWYG for site IDs that were created before the change. Sites created after this update do not inherit the ability to embed content in the WYSIWYG.

Current Behavior

If users try to include embed code in the Text Block of their WiscWeb site, it will be stripped upon Publish or Update. Users will not be able to use the following tags in the text area of their pages:

  • <iframe>
  • <embed>
  • <style>
  • <span>
  • <input>
  • <script>

 Options for Embedding

If WiscWeb users need to embed content, there are a couple options currently. These options are outlined in WiscWeb - WordPress UW Theme - Embed Options

Tips

  • If there isn't another option available for including your outside source content in your site, we recommend linking out to the content. The users will still be able to get to it and it's an easy workaround. 

See Also:




Keywords:embed, iframe, script, style, embed, embedded, social media, HTML, unfiltered, input   Doc ID:96764
Owner:Jenna K.Group:WiscWeb CMS
Created:2019-12-20 12:54 CDTUpdated:2021-10-11 11:07 CDT
Sites:DoIT Help Desk, WiscWeb CMS
Feedback:  1   1