Multisite and 3.5 (and 3.5.1) – Editor stripping code NSFW

In posts and widgets? I wonder if it’s the unflitered HTML thing coming back to bite you.

This only happens to site administrators – not super admin

That is correct, and this is by design. In multisite mode, only superadmins have the unfiltered_html capability.

This is a security measure, unfiltered_html is a dangerous capability to have. If I have unfiltered_html, then I can craft a post with malicious code in it that will, for example, send me your superadmin credentials when you view my post. Essentially, unfiltered_html can lead to privilege escalation, among other things.

So in normal single-site mode, admins and editors have it, because presumably they are trusted users. In multisite, only the super-admin is a trusted user, normal site-admins are not trusted since they may not have control over the entire multisite instance.

To answer your many questions:

– A moderator probably noticed that the link to your site in your profile was NSFW, and so changed the post to reflect that as a warning to others who have more stringent workplace environments.

– Generally speaking, adding code like that to posts is uncommon. Most people who want to do that sort of thing use a plugin or add it to their theme. Or, if you’re doing it in a widget, have a super-admin add it for them.

– This was indeed broken in some previous versions, but fixed in 3.5 because, like I said above, it’s a security issue. The specific change that fixed this was made here, 8 months ago: http://core.trac.ww.wp.xz.cn/changeset/21152