[wp-trac] [WordPress Trac] #58610: Allow Custom CSS to Site Admins in Multisite

WordPress Trac noreply at wordpress.org
Sat Jun 24 06:59:07 UTC 2023 

#58610: Allow Custom CSS to Site Admins in Multisite
-------------------------+-------------------------------------------------
 Reporter:  anrghg       |       Owner:  (none)
     Type:  feature      |      Status:  new
  request                |
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Customize    |     Version:
 Severity:  major        |  Resolution:
 Keywords:               |     Focuses:  ui, css, administration, multisite
-------------------------+-------------------------------------------------

Comment (by anrghg):

 I’ve tried to test the first Custom CSS editor in WordPress 4.7, but it
 broke my site and required a fresh install. From the **Multisite Custom
 CSS** plugin’s documentation written up by then I infer that CSS was not
 filtered back then. The current front-end CSS validation is effective
 since the Custom CSS editor does not work when JavaScript is turned off,
 and therefore it cannot save anything to the database unless it can check
 for interspersed HTML thanks to its JavaScript-driven front-end validator.

 I think that if WordPress keeps denying Custom CSS access to site admins
 in multisite, this is only with respect to the existing plugin. Thanks a
 lot @lenasterg for advising to overcome this outdated policy by adding an
 option into the Network Settings, perhaps like this:

  **Theme Customizer Settings**
  **Custom CSS**   ☐ Allow site admins to add CSS to their site

 Indeed the initially suggested solution would open a security hole since
 it would affect KSES filters as well, and the cited code is fine as-is:
 {{{#!php
 <?php
 case 'unfiltered_html':
         // Disallow unfiltered_html for all users, even admins and super
 admins.
         if ( defined( 'DISALLOW_UNFILTERED_HTML' ) &&
 DISALLOW_UNFILTERED_HTML ) {
                 $caps[] = 'do_not_allow';
         } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {
                 $caps[] = 'do_not_allow';
         } else {
                 $caps[] = 'unfiltered_html';
         }
         break;
 }}}

 So I’ll definitely advise to install the **Multisite Custom CSS** plugin
 until the setting is added to Core.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/58610#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list