Why is WordPress filtering these
Because it’s a major security hole. WordPress sanitises your posts content to a whitelist of tags and attributes on save. When the posts content is displayed additional filters ( the_content ) are used to convert features into their final markup. E.g. by swapping out shortcodes, rendering dynamic blocks, taking OEmbed URLs and swapping them out for their embed HTML codes, etc.
The exception is in non-multisite self-installs where the administrator may have the unfiltered_html capability. This is a very dangerous capability that bypasses the security, e.g. you can insert unbalanced tags that cripple your site, or bitcoin miners and malware. Also anybody who isn’t an admin that opens this post and saves will strip it all out.
and what solutions/options do I have?
Literally any API other than what you did:
- custom shortcodes
- filters
- templates
- custom blocks
- custom widgets ( or even the custom HTML widget )
But not raw form html and javascript executing in the posts content.
The easiest is probably a shortcode, e.g. shortcode-plugin.php:
<?php
/**
* Plugin Name: I'm a plugin yay
*/
add_shortcode( 'yourshortcode', function( $atts ) : string {
ob_start();
?>
<form>
....
</form>
<?php
return ob_get_clean();
} );