WiscWeb - WordPress UW Theme - WiscWeb Embed Code Policy

The following doc outlines WiscWeb's current policy regarding embedded code use.

Important Note About Terminology

This document uses some terminology that is may not be understood by all. If there are any terms you do not recognize, please refer to our Terminology doc for more information. 

As of 2019, WiscWeb sites will not inherit the ability to embed code or inline HTML for display in a Text Block. This decision was made to align our service more closely with WordPress standards for security. 

The current WiscWeb policy is that new sites will not have the ability to embed content in the WYSIWYG. This is to prevent the entire multi-site network from XSS attacks that could break pages or sites. 

 Background

In WordPress multi-site networks, like the one we use for WiscWeb, only the SuperAdmin role is able to include unfiltered HTML. This was a change that WordPress rolled out in version 2.0 to prevent users from posting malicious or poorly formatted code. WiscWeb did not initially inherit this change because our pages are built using ACF page builder technology. ACF did not align with this standard until version 5.7.9. 

ACF was updated (to version 5.7.9) in the UW Theme in January 2019. At this time, the unfiltered HTML rule that was already in place for WordPress was unknowingly introduced to all WiscWeb sites. It prevented the use of embed code in the WYSIWYG for all roles other than SuperAdmins. As only WiscWeb staff are designated as SuperAdmins, this meant that all other users lost this capability at this time. 

To accommodate sites that had previously always had this option available, WiscWeb implemented a short term fix via a custom plugin. This plugin allowed for the use of embed code in the WYSIWYG for site IDs that were created before the change. Sites created after this update do not inherit the ability to embed content in the WYSIWYG. 

 Current Behavior

If users try to include embed code in the Text Block of their WiscWeb site, it will be stripped upon Publish or Update. Users will not be able to use the following tags in the text area of their pages:
  • <iframe>
  • <embed>
  • <style>
  • <span>
  • <input>
  • <script>

 Options for Embedding

If WiscWeb users need to embed content, there are a couple options currently:

WordPress oEmbeds
WordPress oEmbeds are whitelisted tools that have been accommodated in WordPress Core. Using this approach, users need only include a URL for the content they'd like to use and WordPress will automatically recognize it and embed it in the Text Block. More information on how to implement this technique can be found in our Embed Video or Social Media doc. It is important to note that WordPress does not whitelist all common tools so there are several that will not work. For a full list of tools that work as oEmbeds in WordPress, please visit their Embed page

Embedded Content Page Element
In the UW Theme, there is a page element that will allow users to embed certain types of content in the page. More information on how to implement this technique can be found in our Embedded Content Page Element doc. It is important to note that this feature currently only works with YouTube, Twitter, Vimeo, and the campus-approved tools located in WiscWeb - WordPress UW Theme - Embed Options.

Tips

  • If there isn't another option available for including your outside source content in your site, we recommend linking out to the content. The users will still be able to get to it and it's an easy workaround.