This article addresses a recent technical hurdle encountered during the management of a WordPress website. The LINK and SCRIPT tags were being stripped from the custom HTML block. The SuperAdmin on a MultiSite installation could add LINK and SCRIPT tags, but other users could not.
The Dilemma: Missing LINK and SCRIPT Tags
An Administrator (not the SuperAdmin) was using the embed code from ActionNetwork in a Custom HTML block; upon saving, the LINK and SCRIPT tags were inexplicably removed. The embed wasn’t displayed.
User Permissions and Security Measures
After extensive troubleshooting, we determined that the problem lay in the user permissions allocated within WordPress. Unlike the SuperAdmin role, Administrators lacked the authorization to include LINK and SCRIPT tags within the custom HTML block.
Stripping tags was a site security measure.
The specific filter in WordPress may have been wp_strip_all_tags(), which strips HTML tags, and the inner HTML from LINK and SCRIPT. However, I was unable to find where it was stripped, so maybe this function wasn’t used – it may be stripped using a regular expression.
The Solution: WP-Coder
While reading a bug report about stripped tags, a user mentioned using a plugin to insert HTML code. I dug around wordpress.org’s plugin directory and found “WP-Coder“. This tool allows you to store HTML, CSS, and JavaScript code, and insert it with a shortcode.
This solution worked as SuperAdmin, and also as an Administrator.
It wasn’t working for me in the Editor role, however.
As an Editor, I could not make a new WP-Coder shortcode, but I could use the shortcodes that were created by the Administrator.
Centralized Code Management
One possible advantage of WP-Coder is that all the code is centrally managed. A change in the code in WP-Coder is reflected on all the pages where the shortcode is used.
This makes is almost like a “Reusable Block” in Gutenberg.