WordPress.org

Making WordPress.org

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#1769 closed defect (fixed)

Disable embeds for plugin readme content

Reported by: dd32 Owned by: obenland
Milestone: Priority: high
Component: Plugin Directory Keywords:
Cc:

Description

Currently the WordPress 4.5 oEmbed functionality is enabled for plugin content, however for whatever reason, it's not being displayed properly.

I don't think we should enable non-whitelisted embed sources (media, etc), as it doesn't allow us to control what data is shown on a plugin page, and may allow a plugin author to serve targeted ads or other information which our scanners would not be able to pick up.
Arguably, we have the same situation today with Youtube embeds, however I feel they're a lot harder to abuse.

For an example of a site that's being pulled in, see the Website section at the end of this plugins description: https://wordpress.org/plugins-wp/taghound-media-tagger/ you'll find the <iframe> in the output, just not functional. (Note: This plugin isn't doing anything wrong)

Change History (3)

#1 @obenland
3 years ago

  • Milestone set to Plugin Directory v3 - M5
  • Owner set to obenland
  • Status changed from new to assigned

#2 @obenland
3 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 3476:

Plugin Directory: Whitelist oembed providers for the directory.

Fixes #1769.

#3 @samuelsidler
3 years ago

  • Milestone Plugin Directory v3 - M5 deleted

Milestone Plugin Directory v3 - M5 deleted

Note: See TracTickets for help on using tickets.