-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
The pymsrc
option allows users to load arbitrary javascript on the page.
#8
Comments
Thought on this:
Why limit it to those users? They're who can put Why collect data for a version before it goes active? Because if we launch whitelisting with an empty whitelist, we have the chance of silently breaking everyone's existing embeds. Why cause an error? Because we need to provide feedback that the embed isn't permitted. Why provide instructions? So people know how to remedy the error. |
Another possible solution:
|
Like, at minimum, we should be using https://developer.wordpress.org/reference/functions/wp_http_validate_url/ or something to make sure that the URL is valid. |
This would be a breaking change for sites that have used an alternate pymsrc. However, we can encourage admins in the upgrade notes and in the general readme and in the install notes to check the box and set the pymsrc to the CDN. As part of this, link to the "how to test upgrading this plugin on your site" docs, which should be written as part of #32. |
- INN\PymShortcode is now INN\PymEmbeds - Adds settings page - addresses #32 - helper function INN\PymEmbeds\Settings\option_group() to get the option group name - helper function INN\PymEmbeds\Settings\option_key() to get the option_key for wp_options - helper function INN\PymEmbeds\Settings\settings_section() to get the settings section ID for the settings page - helper function INN\PymEmbeds\Settings\settings_page() to get the settings page ID - option default_pymsrc to change away from that provided by pym_pymsrc_local_url(), which is run through wp_http_validate_url to address #8 (comment) - option override_pymsrc to force use of default_pymsrc in embed output, addressing #8
The content of the pymsrc script is output directly to the page: https://github.com/INN/pym-shortcode/blob/26bbef9e561651da110e6dc77d590bc362736fa5/pym-shortcode.php#L31
We should check to make sure that this is at least a URL.
We may want to consider implementing a whitelist in the future, for security reasons.
The text was updated successfully, but these errors were encountered: