Allow editor to use IFRAME code only but disable javascript code?

  • Resolved zearth

    (@zearth)


    3 months, 3 weeks ago

    Hi guys, Is there a way to implement this rule where user allowed only to use IFRAME (for embeds) but disable/strip javascript codes? when I enable this in the capabilities it also allow to use javascript codes.

    TIA

    • This topic was modified 3 months, 3 weeks ago by zearth.
    • This topic was modified 3 months, 3 weeks ago by zearth.
Viewing 3 replies - 1 through 3 (of 3 total)

  • Hi @zearth,

    Can you provide more context please ? If you are talking about embed block, it only take a valid url as argument. Are you talking about the script inside the iframe generated by embed block ? If it that you will have to add filter on embed block to add an attribute sandbox to the iframe

    Thread Starter zearth

    (@zearth)

    I want our editors to be able to embed <iframe> code only in the post editor. We don’t want them to post some javascript codes like <script>codes</script>. In this way the content being push to the frontend will allow them only to use iframe and no javascript embed codes in the editor content.

    Thread Starter zearth

    (@zearth)

    I found alternative solution, here is my temp solution to prevent javascript code insert from non administrator.

    function filterjs( $data, $postarr, $unsanitized_postarr){

    global $current_user;

    $roleko = $current_user->roles[0];

    if($roleko == 'administrator') {

    } else {

    $postcontent = $data['post_content'];

    $postcontent = str_replace('<script','&lt;script',$postcontent );

    $postcontent = str_replace('</script>','&lt;/script&gt;',$postcontent );

    $data['post_content'] = ?$postcontent ;

    }

    return $data;

    }

    add_filter( 'wp_insert_post_data', 'filterjs',10,3);
Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.