Stop Wordpress removing <script> tags when switching from HTML to Visual (TinyMCE)

admin管理员组

文章数量:1124789

Ok, I've seen solutions which go halfway to sorting out this problem, but nothing definitive, and nothing that 100% solves my problem.

Scenario:

• In HTML mode, I add some javascript to a post I'm editing.
• I switch to Visual, then back to HTML, and the tag and all of its content are gone.

How do I stop this from happening? I've tried adding custom code to my functions.php trying to access the extended_valid_elements for TinyMCE, but nothing works.

Please help!

Ok, I've seen solutions which go halfway to sorting out this problem, but nothing definitive, and nothing that 100% solves my problem.

Scenario:

• In HTML mode, I add some javascript to a post I'm editing.
• I switch to Visual, then back to HTML, and the tag and all of its content are gone.

How do I stop this from happening? I've tried adding custom code to my functions.php trying to access the extended_valid_elements for TinyMCE, but nothing works.

Please help!

• tags
• tinymce

Share Improve this question asked Oct 2, 2012 at 13:17 pixelkickspixelkicks 30911 gold badge44 silver badges1212 bronze badges 6

• Are you using WordPress as a single installation or in multisite mode? – Matthew Boynes Commented Oct 2, 2012 at 13:25
• This is essentially a gaping security hole you're trying to open – Tom J Nowell ♦ Commented Oct 2, 2012 at 13:32
• Why do you want to do this? – Tom J Nowell ♦ Commented Oct 2, 2012 at 15:55
• Hi, the main reason for wanting to do this is because on a few sites I run, I commonly insert Google Adsense code within the body of posts. The CPC is much greater this way, and I often experiment with different ads. The pages that have the Adsense JS code are often edited in Visual mode, and it is such a pain that I have to constantly copy and paste the JS code back in when it gets removed. I appreciate the security concerns, but then if my login was breached then it opens up much more problems than just JS issues - the very nature of the breach itself would be a massive problem. – pixelkicks Commented Oct 2, 2012 at 20:06
• 1 Then it appears you have asked for a fix for your kludge, the correct question to ask would be how to add adsense into the middle of posts, to which the correct answer would have been a shortcode, and there are many available, likely one a custom one would have been posted and you'd have gotten much reputation for asking and several badges for noteworthy question. Instead you asked how to put arbitrary Javascript into post content, and the response you got was that doing so was bad practice and a significant security hole. – Tom J Nowell ♦ Commented Oct 2, 2012 at 22:44

 |  Show 1 more comment

5 Answers 5

Sorted by: Reset to default 4

Adding JS to the content is very, very bad practice, and it's just asking to be hacked.

Add it via a shortcode, or if you really must, use a post meta/custom fields to store the js and display it after the content in your template using echo get_post_meta($post->ID,'post_javascript',true );

This can be quite easily done by granting the unfiltered_html capability to whichever role you're interested in allowing SCRIPT and IFRAME tags. Obviously, as mentioned by others, there's inherent security risks, so be judicious about it.

To learn more about granting capabilities, see The WordPress Codex entry on add_cap().

Without mucking about with template PHP code, you can workaround the OP problem - as well as the problem where on multisite no one other than super-admin gets the unfiltered_html capability mentioned by @Tom Auger - by installing the "Shortcoder" plugin - it allows you to create "custom shortcodes" that simply render some text. This could be anything - including Javascript.

I create a "custom shortcode" for each piece of code that I need (usually one for each page's distinct custom code) and then the visual editor sees the shortcode and doesn't remove it.

Its also great for Javascript code re-use, if you have multiple pages that need the same (or similar) code.

as of 2024 you can allow unfiltered html in the wp-config.php by setting DISALLOW_UNFILTERED_HTML to false like this:

define( 'DISALLOW_UNFILTERED_HTML', false );

Regarding security stuff: Enabling unfiltered HTML by setting DISALLOW_UNFILTERED_HTML to false requires trust in your admins and security awareness, as it allows them to insert potentially harmful code. However, if a hacker gains access to your WordPress, the security implications are severe regardless of this setting.

There is also a solution for those who have Elementor plugin and don't want to install any extra plugins:

1. From the admin menu go to Templates > Add New
2. Choose "Container" as the template type and name it anything suitable to recognize your code later for the edits (if required).
3. On the elementor editor screen click the + sign to add a container and add a HTML code widget inside it.
4. Paste your script inside the HTML box. (Note that it has to <script></script> tags around it)
5. Save and Exit back to the containers list. (Templates > Saved Templates > Containers)
6. Locate your newly created template and copy it's shortcode from the box in front of it.
7. Paste this shortcode in any text editor and enjoy.

本文标签： Stop Wordpress removing ltscriptgt tags when switching from HTML to Visual (TinyMCE)