I have a client who is trying to inject some JS directly into a post using the web interface. The script is stripped out on the live site.
I am unable to replicate this behavior on a local installation. The JS is added as expected.
The main difference between my installation and the client’s is that my installation is a fresh WP3 installation, whereas the client’s is WP3 upgraded from WP2.
Is this a configuration option or a legacy issue? Is there some other reason why this might be happening?
Rich
If I am not mistaken about the issue – that is controlled by
unfiltered_htmlcapability. Only available to Editor role and higher by default.At least in my installation, Admin and Editors are able to inject script into their posts. Authors are not able to.
Author content is parsed using a plugin called KSES, which strips out disallowed HTML.
The KSES plugin can be overridden or extended. Which I have done by hacking a community plugin called Extend KSES (http://wordpress.org/extend/plugins/extend-kses/).
Not too keen on the idea of allowing script injection, so the client should be made aware of the dangers.
Rich