Multisite site admin can no longer use Smart Slider?

  • Resolved trenchy

    (@trenchy)


    1 year, 3 months ago

    Hello,

    We recently upgraded our multisite instance of WordPress to 5.9.6 and Smart Slider to 3.5.1.14. Previously site level admins could use the plugin now they get they following message:

    “Smart Slider allows you to place many things on your slider, so only users with the unfiltered_html capability can have access to it. You do not have this capability and only the administrator of your website can grant it to you.”

    And it appears that only superadmins can now edit slides. I understand, via the link, that the plugin is now restricted only to users with “unfiltered-html” capabilities. We really don’t want regular site admins to have that capability but they should be able to use Smart Slider. There’s no need for them to embed CSS or Javascript into their slides. Is there a workaround? We have a number of site admins yelling at us now.

    Thanks,

    David

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support Laszlo

    (@laszloszalvak)

    Hi @trenchy

    This is a security improvement:

    since as we mention in that warning users can add HTML, CSS and JavaScript via the slider at various places.

    So if you don’t trust your regular site admins that much you give them the capability to add such data to your site, then they shouldn’t allow them to edit Smart Slider 3 sliders either because of the reasons I mentioned above.
    Otherwise you should grant them the mentioned “unfiltered-html” capability, since if they could edit sliders they could already add HTML, CSS and JavaScript, too so it doesn’t really matter.

    By the way the version 3.5.1.14 is quite outdated. Currently the version number of our latest release is 3.5.1.18 so don’t forget to update.

    Best regards,
    Laszlo.

    Thread Starter trenchy

    (@trenchy)

    HI Laszlo,

    Thanks for the prompt reply. Other plugins will use WordPress’s ability to strip out javascript from content that is entered into them allowing us to ensure that nothing malicious can happen, even by accident. Why not Smart Slider?

    But are you also saying that prior to you adding the requirement that a user had the unfilitered-html capability that Smart Slider didn’t sanitize content?

    Thanks!

    David

    Plugin Support Laszlo

    (@laszloszalvak)

    Hi @trenchy

    We also sanitize the data and always did, but with the recent updates we started sanitizing even more fields to not accept JavaScript. However there are still some fields which are built with the purpose to accept HTML, CSS and JavaScript.

    E.g. just one of them: if you go to the Developer tab you can find the “JavaScript callbacks” setting:

    but there are some others, too. And we can not really remove complete features from the slider just because you don’t have the necessary permissions as some parts could become completely unusable.

    And just to clarify, in my previous reply by “user” I meant a user that has the necessary permission to edit Smart Slider 3 sliders. So yes, before we introduced this limitation, your multisite administrators could add custom JavaScript codes to the pages where they published their sliders.

    So once again, if you don’t trust your administrators enough, then you shouldn’t allow them to edit your Smart Slider 3 sliders either, I am sorry.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Multisite site admin can no longer use Smart Slider?’ is closed to new replies.