fix(blueprint): allow iframe tags in playground content#13
Merged
firestar300 merged 5 commits intodevelopfrom Apr 20, 2026
Merged
fix(blueprint): allow iframe tags in playground content#13firestar300 merged 5 commits intodevelopfrom
firestar300 merged 5 commits intodevelopfrom
Conversation
Adds a must-use plugin to the blueprint that filters `wp_kses_allowed_html` to permit iframes. This ensures the demo page content isn't stripped of its iframe elements by WordPress's security filters.
Renames the must-use plugin file responsible for filtering allowed HTML tags in the Playground environment. While the filename now mentions SVG, the current implementation continues to permit iframe tags to ensure demo content renders correctly.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Updates the KSES mu-plugin to permit the 'loading' attribute on iframe tags. This ensures that lazy-loading attributes on iframes are not stripped by WordPress security filters in the Playground environment.
Replaces the array-based string construction with a nowdoc to improve readability and maintainability. This also cleans up the allowed iframe attributes list, removing a duplicate "id" entry and fixing the string formatting for the "loading" attribute.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 7f8f79c. Configure here.
Renames the must-use plugin file from `blockparty-iframe-playground-svg-kses.php` to `blockparty-iframe-playground-kses.php`. This corrects a naming inconsistency as the plugin currently handles iframe permissions rather than SVG tags.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a must-use plugin to the blueprint that filters
wp_kses_allowed_htmlto permit iframes. This ensures the demo page content isn't stripped of its iframe elements by WordPress's security filters.Note
Medium Risk
Touches WordPress sanitization (
wp_kses_allowed_html) to allowiframes, which is security-sensitive even though scoped to the Playground demo environment.Overview
Updates the WordPress Playground blueprint to install a small
mu-pluginthat relaxeswp_kses_allowed_htmlforpostcontext by allowingiframetags/attributes, preventing the demo page’s embedded iframe from being stripped during content insertion.Reviewed by Cursor Bugbot for commit 78a5d34. Bugbot is set up for automated code reviews on this repo. Configure here.