WS Form PRO is an advanced form plugin for WordPress. As such, it allows developers to save markup to settings such as labels (e.g. add span tags) or HTML content.
For websites where such a capability is not desirable, we comply with the
unfiltered_html capability in WordPress.
If a user does not have the
unfiltered_html capability, any attempt to save settings in WS Form that contains HTML tags such as
script or other markup deemed insecure will be stripped out.
If a user does have the
unfiltered_html capability, any markup can be saved in settings.
In short, if you do not want users to have the capability of saving markup in WS Form settings you should disable the
There are two ways of disabling this capability in WordPress.
For All Users
You can use the
DISALLOW_UNFILTERED_HTML constant to remove the
unfiltered_html capability for all users by adding the following code to your
define( 'DISALLOW_UNFILTERED_HTML', true );
This would typically go beneath the
WP_DEBUG constant, for example:
define( 'WP_DEBUG', false ); define( 'DISALLOW_UNFILTERED_HTML', true );
DISALLOW_UNFILTERED_HTML is set to true, WordPress will automatically remove the
unfiltered_html capability for all users.
To change the
unfiltered_html capability for users by role you can use a user capabilities plugin.
We recommend using the PublishPress Capabilities plugin which allows you to enable or disable this capability by role.
To do this:
- Install and activate the PublishPress Capabilities plugin.
- Go to Capabilities in your WordPress admin area.
- In the top-right corner of the screen, load the user role that you want to customize, e.g. Editor.
- In the center of the screen, you can now set the permissions. If you want to allow people in the Editor role to save posts or WS Form settings with full markup, check the unfiltered html box. Click the blue Save Changes button to finish,