Custom role can't save HTML into TextArea field

• jerylteo

• January 15, 2021 at 2:36 pm

I have a custom role called “Members”, with the following post_type/caps settings

function register_memberspt() {
    $labels = array(
        'name'                  => _x( 'Members', 'Post type general name', 'textdomain' ),
        'singular_name'         => _x( 'Member', 'Post type singular name', 'textdomain' ),
    );
 
    $args = array(
        'labels'             => $labels,
        'public'             => true,
        'publicly_queryable' => true,
        'show_ui'            => true,
        'show_in_menu'       => true,
        'query_var'          => true,
        'rewrite'            => array( 'slug' => 'members' ),
        'capability_type'    => 'post',
        'has_archive'        => true,
        'hierarchical'       => false,
        'menu_position'      => 5,
        'menu_icon'         =>  'dashicons-groups',
        'supports'           => array( 'title', 'editor', 'author', 'thumbnail' ),
    );
 
    register_post_type( 'memberspt', $args );
}

    add_role('member', _('Member'), [
        'upload_files' => true,
        'publish_posts' => true,
        'edit_published_posts' => true,
        'delete_published_posts' => true,
        'edit_posts' => true,
        'delete_posts' => true,
        'read' => true,
        'publish_pages' => true,
        'edit_pages' => true,
        'edit_published_pages' => true,
        'delete_pages' => true,
        'unfiltered_html' => true,
    ]);

I have a TextArea field called location_map, that takes in <iframe> embed code, and outputs frontend. Everything works when I’m using an admin user.
However, when updating with a user with the Member role, I am unable to update any HTML codes into the TextArea field.

e.g.
When I try to save <iframe ….></iframe>, it just disappears.
When I try to save <iframe …></iframe> asd, only “asd” remains.

Any help would be much appreciated

• jerylteo

• January 15, 2021 at 2:37 pm

Additionally, seems like every other html code works. <div>, <p> etc works. only <iframe> disappears.

• Galexia

• January 17, 2024 at 10:43 am

I have this issue too. Any help?

• Galexia

• January 17, 2024 at 11:18 am

This is a dirty fix I’ve come up with:

add_filter(
    'wp_kses_allowed_html',
    function ( $tags, $context ) {
        if ( 'post' !== $context ) {
            return $tags;
        }
        // There's a bug with ACF where iframes are not allowed in content if you are using a custom role.
        $tags['iframe'] = array(
            'src'                             => array(),
            'height'                          => array(),
            'width'                           => array(),
            'frameborder'                     => array(),
            'allowfullscreen'                 => array(),
            'title'                           => array(),
            'mozallowfullscreen'              => array(),
            'webkitallowfullscreen'           => array(),
            'allow'                           => array(),
            'xr-spatial-tracking'             => array(),
            'execution-while-out-of-viewport' => array(),
            'execution-while-not-rendered'    => array(),
            'web-share'                       => array(),
        );

        return $tags;
    },
    10,
    2
);