Opened 8 years ago

Closed 8 years ago

Last modified 7 years ago

#1769 closed defect (bug) (fixed)

Disable embeds for plugin readme content

Reported by: dd32's profile dd32 Owned by: obenland's profile obenland
Milestone: Priority: high
Component: Plugin Directory Keywords:


Currently the WordPress 4.5 oEmbed functionality is enabled for plugin content, however for whatever reason, it's not being displayed properly.

I don't think we should enable non-whitelisted embed sources (media, etc), as it doesn't allow us to control what data is shown on a plugin page, and may allow a plugin author to serve targeted ads or other information which our scanners would not be able to pick up.
Arguably, we have the same situation today with Youtube embeds, however I feel they're a lot harder to abuse.

For an example of a site that's being pulled in, see the Website section at the end of this plugins description: you'll find the <iframe> in the output, just not functional. (Note: This plugin isn't doing anything wrong)

Change History (3)

#1 @obenland
8 years ago

  • Milestone set to Plugin Directory v3 - M5
  • Owner set to obenland
  • Status changed from new to assigned

#2 @obenland
8 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 3476:

Plugin Directory: Whitelist oembed providers for the directory.

Fixes #1769.

#3 @samuelsidler
7 years ago

  • Milestone Plugin Directory v3 - M5 deleted

Milestone Plugin Directory v3 - M5 deleted

Note: See TracTickets for help on using tickets.