[wp-trac] [WordPress Trac] #58610: Allow Custom CSS to Site Admins in Multisite
WordPress Trac
noreply at wordpress.org
Sat Jun 24 06:59:07 UTC 2023
#58610: Allow Custom CSS to Site Admins in Multisite
-------------------------+-------------------------------------------------
Reporter: anrghg | Owner: (none)
Type: feature | Status: new
request |
Priority: normal | Milestone: Awaiting Review
Component: Customize | Version:
Severity: major | Resolution:
Keywords: | Focuses: ui, css, administration, multisite
-------------------------+-------------------------------------------------
Comment (by anrghg):
I’ve tried to test the first Custom CSS editor in WordPress 4.7, but it
broke my site and required a fresh install. From the **Multisite Custom
CSS** plugin’s documentation written up by then I infer that CSS was not
filtered back then. The current front-end CSS validation is effective
since the Custom CSS editor does not work when JavaScript is turned off,
and therefore it cannot save anything to the database unless it can check
for interspersed HTML thanks to its JavaScript-driven front-end validator.
I think that if WordPress keeps denying Custom CSS access to site admins
in multisite, this is only with respect to the existing plugin. Thanks a
lot @lenasterg for advising to overcome this outdated policy by adding an
option into the Network Settings, perhaps like this:
**Theme Customizer Settings**
**Custom CSS** ☐ Allow site admins to add CSS to their site
Indeed the initially suggested solution would open a security hole since
it would affect KSES filters as well, and the cited code is fine as-is:
{{{#!php
<?php
case 'unfiltered_html':
// Disallow unfiltered_html for all users, even admins and super
admins.
if ( defined( 'DISALLOW_UNFILTERED_HTML' ) &&
DISALLOW_UNFILTERED_HTML ) {
$caps[] = 'do_not_allow';
} elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {
$caps[] = 'do_not_allow';
} else {
$caps[] = 'unfiltered_html';
}
break;
}}}
So I’ll definitely advise to install the **Multisite Custom CSS** plugin
until the setting is added to Core.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58610#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list