WS Form PRO is an advanced form plugin for WordPress. As such, it allows developers to save markup to settings such as labels (e.g. add span tags) or HTML content.
For websites where such a capability is not desirable, we comply with the unfiltered_html capability in WordPress.
If a user does not have the unfiltered_html capability, any attempt to save settings in WS Form that contains HTML tags such as iframe, embed or script or other markup deemed insecure will be stripped out.
If a user does have the unfiltered_html capability, any markup can be saved in settings.
In short, if you do not want users to have the capability of saving markup in WS Form settings you should disable the unfiltered_html capability.
There are two ways of disabling this capability in WordPress.
For All Users
You can use the DISALLOW_UNFILTERED_HTML constant to remove the unfiltered_html capability for all users by adding the following code to your wp-config.php file:
define( 'DISALLOW_UNFILTERED_HTML', true );
This would typically go beneath the WP_DEBUG constant, for example:
define( 'WP_DEBUG', false ); define( 'DISALLOW_UNFILTERED_HTML', true );
When DISALLOW_UNFILTERED_HTML is set to true, WordPress will automatically remove the unfiltered_html capability for all users.
Learn more:
By Role
To change the unfiltered_html capability for users by role you can use a user capabilities plugin.
We recommend using the PublishPress Capabilities plugin which allows you to enable or disable this capability by role.
To do this:
- Install and activate the PublishPress Capabilities plugin.
- Go to Capabilities in your WordPress admin area.
- In the top-right corner of the screen, load the user role that you want to customize, e.g. Editor.
- In the center of the screen, you can now set the permissions. If you want to allow people in the Editor role to save posts or WS Form settings with full markup, check the unfiltered html box. Click the blue Save Changes button to finish,
If you want to set these permissions across a multisite network, follow these instructions. On WordPress multisite networks, only Super Admins have the unfiltered_html permission.