Iframe disappears when author updates page

If a user has an author role and is listed as the author of a page, when they make changes to the page and click update, the changes are made but the iframe that was in the wysiwyg disappears and no longer shows on the back-end or front-end. If an administrator or editor makes the changes and saves it, the iframe stays.

Besides changing the user role to editor, how do I prevent the iframe from disappearing?

I tried having the author paste the iframe code into the text view and update it while still in text view on the wysiwyg.

I tried adding these coding snippets into the functions file in hopes that it would prevent wp from stripping it, but they're a no-go.

This: 

function custom_rewrite_basic() {
   add_rewrite_rule('^about-us/careers/([\w\d-]+)/?', 'index.php? 
   post_type=jobsname=$matches[1]', 'top');
}
add_action('init', 'custom_rewrite_basic');

function add_iframe($initArray) {
    $initArray['extended_valid_elements'] = "iframe[id|class|title|style|align|frameborder|height|longdesc|marginheight|marginwidth|name|scrolling|src|width]";
    return $initArray;
}

// this function alters the way the WordPress editor filters your code
add_filter('tiny_mce_before_init', 'add_iframe');

And this:

function km_add_unfiltered_html_capability_to_editors( $caps, $cap, $user_id ) {
    if ( 'unfiltered_html' === $cap  user_can( $user_id, 'editor' ) ) {
        $caps = array( 'unfiltered_html' );
    }
    return $caps;
}
add_filter( 'map_meta_cap', 'km_add_unfiltered_html_capability_to_editors', 1, 3 );

Topic iframe user-roles Wordpress

Category Web

1
answered at

Note that allowing iframes directly in a post content area can be dangerous, that's why they're stripped out for security reasons.

Super admins on multisites or administrators on single sites have the unfiltered_html capability, and can insert anything they please into a post content area, but this is dangerous. For example, granting your author this capability would allow them to copy paste javascript into the post content area. I would be wary of bitcoin miners, if not credit card stealers, or router malware.

Instead, have you considered using an iframe shortcode? If the iframe is for a video or another kind of embed, then OEmbed would be the appropriate path forward. If it's a Youtube video or common service, it's likely that's already supported, in which case simply copy pasting the URL of the content to be embedded on its own line should turn it into an iframe embed automagically.

iframe embeds implemented via OEmbed work with the [embed] shortcode automatically, and you may even find that the block editor creates blocks for you

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.