⛔ 🐞 Bug Report: Users without unfiltered_html capability can not save links / captions with e.g. & (ampersand)

[dtugend]

Prerequisites

• I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• The issue still exists against the latest stable version of Elementor.

Description

Currently all fields for users without unfiltered_html capability go through wp_kses_post:

elementor/core/base/document.php

Lines 735 to 737 in 6779aa6

	if ( ! current_user_can( 'unfiltered_html' ) ) {
	$data = wp_kses_post_deep( $data );
	}

While this can be desirable to mitigate HTML injections, it has the side effect of many fields in the editor working incorrectly when entering things that would be escaped like & (ampersand), they become & (even in the editor backend).
Examples of fields this applies to are (but not limited to): URL / Link fields (images / buttons / webhooks in forms, ...), Caption fields.

This sadly comes in combo with WordPress Bug 50260: Multisite - Getting actual user capabilities with get_role_caps() different with current_user_can(), which causes current_user_can to return false for Administrators of a multisite that are not superadmin. (We had quite some nice encounters when people that were not super admin edited a page and suddenly the webhooks would not work anymore because of the & to &).

Steps to reproduce

1. Use a user that doesn't have unfiltered_html capability.
2. Make a button and put https://www.test.com/?a=1&b=0 as Link URL.
3. Save the post
4. Reload the page (F5 in browser)
5. Observe that the URL becomes broken, it is now: https://www.test.com/?a=1&b=0.

Alternatively do the same on a multi site with an admin user that doesn't have super admin (as long as the WordPress bug 502060 remains unfixed).

Isolating the problem

• This bug happens with only Elementor plugin active (and Elementor Pro).
• This bug happens with a Blank WordPress theme active (Hello theme).
• I can reproduce this bug consistently following the steps above.

System Info

Click to reveal

					
== Server Environment ==
	Operating System: Linux
	Software: Apache
	MySQL version: Debian 11 v10.5.19
	PHP Version: 7.4.33
	PHP Memory Limit: 128M
	PHP Max Input Vars: 1000
	PHP Max Post Size: 16M
	GD Installed: Yes
	ZIP Installed: Yes
	Write Permissions: All right
	Elementor Library: Connected

== WordPress Environment ==
	Version: 6.2.2
	Site URL: https://demo.vagas.co.il/business-consulting-website-kit
	Home URL: https://demo.vagas.co.il/business-consulting-website-kit
	WP Multisite: Yes
	Max Upload Size: 1 MB
	Memory limit: 256M
	Max Memory limit: 256M
	Permalink Structure: /blog/%year%/%monthnum%/%day%/%postname%/
	Language: en-US
	Timezone: Asia/Jerusalem
	Debug Mode: Inactive

== Theme ==
	Name: Hello Elementor Child
	Version: 1.0.1
	Author: Elementor Team
	Child Theme: Yes
	Parent Theme Name: Hello Elementor
	Parent Theme Version: 2.7.1
	Parent Theme Author: Elementor Team

== User ==
	Role: administrator
	WP Profile lang: he_IL
	User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

== Active Plugins ==
	Elementor
		Version: 3.15.1
		Author: Elementor.com

	Elementor Pro
		Version: 3.15.0
		Author: Elementor.com

	MainWP Child
		Version: 4.4.1.3
		Author: MainWP


== Network Plugins ==
	Activity Log
		Version: 2.8.7
		Author: Activity Log Team

	Limit Login Attempts Reloaded
		Version: 2.25.20
		Author: Limit Login Attempts Reloaded

	NS Cloner - Site Copier
		Version: 4.2.2.2
		Author: Never Settle

	Shamor
		Version: 1.7.1
		Author: wpshamor.com

	Two Factor
		Version: 0.8.1
		Author: Plugin Contributors

	VGS Force Two-Factor
		Version: 1.0.11
		Author: Vagas VGS

	VGS Login
		Version: 0.2.0
		Author: Vagas VGS


== Features ==
	Custom Fonts: 0
	Custom Icons: 0

== Integrations ==
	


== Elementor Experiments ==
	Optimized DOM Output: Active by default
	Improved Asset Loading: Active by default
	Improved CSS Loading: Active by default
	Inline Font Icons: Inactive by default
	Additional Custom Breakpoints: Active by default
	admin_menu_rearrangement: Inactive by default
	Flexbox Container: Inactive by default
	Upgrade Swiper Library: Active by default
	Grid Container: Inactive by default
	Default to New Theme Builder: Active by default
	Hello Theme Header & Footer: Active by default
	Editor Top Bar: Inactive by default
	Landing Pages: Active by default
	Nested Elements: Inactive by default
	Lazy Load Background Images: Inactive by default
	Global Style Guide: Inactive by default
	Page Transitions: Active by default
	Notes: Active by default
	Loop: Active by default
	Form Submissions: Active by default
	Scroll Snap: Active by default
	Menu: Inactive by default
	Taxonomy Filter: Inactive by default


== Log ==
	
Log: showing 20 of 202023-02-21 08:58:27 [info] elementor-pro::elementor_pro_updater Started 
2023-02-21 08:58:27 [info] Elementor Pro/Upgrades - _on_each_version Start  
2023-02-21 08:58:27 [info] Elementor Pro/Upgrades - _on_each_version Finished 
2023-02-21 08:58:27 [info] Elementor data updater process has been completed. [array (
  'plugin' => 'Elementor Pro',
  'from' => '3.11.0',
  'to' => '3.11.1',
)]
2023-02-21 08:58:27 [info] Elementor data updater process has been queued. [array (
  'plugin' => 'Elementor Pro',
  'from' => '3.11.0',
  'to' => '3.11.1',
)]
2023-02-23 09:13:54 [info] elementor::elementor_updater Started 
2023-02-23 09:13:54 [info] אלמנטור/Upgrades - _on_each_version Start  
2023-02-23 09:13:54 [info] Elementor data updater process has been queued. [array (
  'plugin' => 'אלמנטור',
  'from' => '3.11.1',
  'to' => '3.11.2',
)]
2023-02-23 09:13:54 [info] אלמנטור/Upgrades - _on_each_version Finished 
2023-02-23 09:13:54 [info] Elementor data updater process has been completed. [array (
  'plugin' => 'אלמנטור',
  'from' => '3.11.1',
  'to' => '3.11.2',
)]
2023-02-23 09:13:56 [info] Elementor data updater process has been queued. [array (
  'plugin' => 'אלמנטור',
  'from' => '3.11.1',
  'to' => '3.11.2',
)]
2023-08-03 17:44:51 [info] elementor::elementor_updater Started 
2023-08-03 17:44:51 [info] Elementor/Upgrades - _on_each_version Start  
2023-08-03 17:44:51 [info] Elementor/Upgrades - _on_each_version Finished 
2023-08-03 17:44:51 [info] Elementor data updater process has been completed. [array (
  'plugin' => 'Elementor',
  'from' => '3.11.2',
  'to' => '3.15.1',
)]
2023-08-03 19:29:31 [info] elementor-pro::elementor_pro_updater Started 
2023-08-03 19:29:31 [info] Elementor Pro/Upgrades - _on_each_version Start  
2023-08-03 19:29:31 [info] Elementor Pro/Upgrades - _on_each_version Finished 
2023-08-03 19:29:31 [info] Elementor data updater process has been completed. [array (
  'plugin' => 'Elementor Pro',
  'from' => '3.11.1',
  'to' => '3.15.0',
)]
2023-08-03 19:29:31 [info] Elementor data updater process has been queued. [array (
  'plugin' => 'Elementor Pro',
  'from' => '3.11.1',
  'to' => '3.15.0',
)]

PHP: showing 4 of 4PHP: 2023-02-21 08:59:01 [notice X 2][../wp-content/plugins/elementor/core/common/modules/ajax/module.php::175] Undefined index: data [array (
  'trace' => '
#0: Elementor\Core\Logger\Manager -> shutdown()
',
)]
PHP: 2023-02-21 08:59:04 [notice X 1][../wp-content/plugins/elementor-pro/core/app/modules/import-export/runners/import/templates.php::103] Undefined index: conditions [array (
  'trace' => '
#0: Elementor\Core\Logger\Manager -> shutdown()
',
)]
PHP: 2023-02-21 09:31:44 [notice X 2][../wp-content/plugins/elementor/includes/managers/image.php::108] Trying to access array offset on value of type bool [array (
  'trace' => '
#0: Elementor\Core\Logger\Manager -> shutdown()
',
)]
PHP: 2023-02-21 09:32:46 [error X 1][../wp-content/plugins/elementor-pro/modules/theme-builder/classes/conditions-manager.php::295] Uncaught Error: Call to a member function update_meta() on bool in../wp-content/plugins/elementor-pro/modules/theme-builder/classes/conditions-manager.php:295
Stack trace:
#0 ../wp-content/plugins/elementor-pro/modules/theme-builder/classes/conditions-manager.php(168): ElementorPro\Modules\ThemeBuilder\Classes\Conditions_Manager->save_conditions()
#1 [internal function]: ElementorPro\Modules\ThemeBuilder\Classes\Conditions_Manager->ajax_save_theme_template_conditions()
#2 ../wp-content/plugins/elementor/core/common/modules/ajax/module.php(175): call_user_func()
#3 ../wp-includes/class-wp-hook.php(308): Elementor\Core\Common\Modules\Ajax\Module->handle_ajax_request()
#4 ../wp-includes/class-wp-hook.php(332): WP_Hook->apply_filters()
#5 ../wp-includes/plugin.php(517): WP_Hook->do_action()
#6 ../wp-admin/admin-ajax.php(188): do_acti [array (
  'trace' => '
#0: Elementor\Core\Logger\Manager -> shutdown()
',
)]



== Elementor - Compatibility Tag ==
	
	Elementor Pro: Compatible

== Elementor Pro - Compatibility Tag ==
	

				

[dtugend]

In case someone else runs in the same problem on a MultiSite, you can work around it with a simple plugin:

<?php
/**
 * Plugin Name:       VGS Fix MultiSite Unfiltered HTML Capability
 * Description:       Adds unfiltered_html for e.g. non-super admins: https://github.com/elementor/elementor/issues/23302
 * Author:            Vagas VGS
 * Version:           0.0.1
 * Requires at least: 5.0
 * Requires PHP:      7.4
 * Author URI:        https://www.vagas.co.il/
 * License:           GPL2
 * License URI:       https://www.gnu.org/licenses/gpl-2.0.html
 * Network:           True
 * Text Domain:       vgs-fix-multisite-unfiltered-html-cap
 * Domain Path:       /languages
 */

defined( 'ABSPATH' ) or exit;

function vgs_fix_multisite_unfitlered_html_cap($caps, $cap, $user_id) {

	switch($cap) {
	case 'unfiltered_html':
		// Disallow unfiltered_html for all users, even admins and super admins.
		if ( defined( 'DISALLOW_UNFILTERED_HTML' ) && DISALLOW_UNFILTERED_HTML ) {
			// no change.
		} elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {
			$caps = array();
			$caps[] = 'unfiltered_html';
		} else {
			// no change.
		}
		break;
	}
	
	return $caps;
}


add_filter( 'map_meta_cap', 'vgs_fix_multisite_unfitlered_html_cap', 10, 3 );

[nicholaszein]

Hi, @dtugend ,

Thank you for reaching out! 🙏

⛔ After reviewing your report we concluded this is not a bug caused by Elementor. For security reasons, the feature you're referring to is not supported.

We will not change this behavior. I hope you can understand.

Thank you for your feedback.

Kind regards