#1769 closed defect (bug) (fixed)
Disable embeds for plugin readme content
Reported by: | dd32 | Owned by: | obenland |
---|---|---|---|
Milestone: | Priority: | high | |
Component: | Plugin Directory | Keywords: | |
Cc: |
Description
Currently the WordPress 4.5 oEmbed functionality is enabled for plugin content, however for whatever reason, it's not being displayed properly.
I don't think we should enable non-whitelisted embed sources (media, etc), as it doesn't allow us to control what data is shown on a plugin page, and may allow a plugin author to serve targeted ads or other information which our scanners would not be able to pick up.
Arguably, we have the same situation today with Youtube embeds, however I feel they're a lot harder to abuse.
For an example of a site that's being pulled in, see the Website section at the end of this plugins description: https://wordpress.org/plugins-wp/taghound-media-tagger/ you'll find the <iframe>
in the output, just not functional. (Note: This plugin isn't doing anything wrong)
In 3476: