2266 pointsCommunity rank #25Supreme DeityMind-Blowingly HelpfulLifetime member
Member
(joined October 2007)
Likes (0)
right, I agree with d_kc. The "public" or general consensus seems to be that offering that on a public site is a no-no. can anyone else share his knowledge about this? I was extremely surprised to find this plugin available here...
463 pointsCommunity rank #108ExpertJust Getting Started
(joined July 2007)
Likes (0)
If you read the plugin, you have to specifically allow each tag you want. Or take out the ones you don't. :) There are semi-public sites that have legit uses for being a bit more open. Or public sites with no public registrations or trusted users.
This plugin makes it easier to manage those kinds of sites, as allowing for a whole pile of varying embed codes for some niches is a huge pain in the butt otherwise.
I don't think all plugins here would be suitable for all sites. It'd be up to you to decide that. :)
2266 pointsCommunity rank #25Supreme DeityMind-Blowingly HelpfulLifetime member
Member
(joined October 2007)
Likes (0)
I know Andrea, I checked the code and saw which tags are included, know we can remove some and include additional ones. Just wanted to get some opinions ;-)
Thanks for sharing your position.
6593 pointsCommunity rank #9Supreme DeityMember of the MonthLifetime member
Keeper of the Dark Chocolate
(joined July 2007)
Likes (0)
A lot of folks have private mu's where signups aren't allowed outside of commenters. (ie: Our *cough* adult mus for example.) This would work well for those.
638 pointsCommunity rank #84ExpertJust Getting Started
Member
(joined July 2007)
Likes (0)
In general, it depends on your users and your site set-up.
Me personally, I wouldn't allow embed or script tags in a completely open set-up. While the odds may be low, the risk to me is just too great. One possibility would be to further filter based on the url (if it wasn't youtube, google, etc, then strip it), but even that could be open to potential malicious use.
One may find they get away with it for quite a while without issue. But it only takes one time to kill it.
That being said, I'm not surprised it's available here as this site tries to cater to as many people and uses as possible. It would of course be up to the site admin installing such a plugin to take the responsibility for it, as the plugins here are without warranty or liability. :)
63 pointsCommunity rank #928El PresidenteJust Getting Started
Member
(joined August 2008)
Likes (0)
What would be the ones you would not allow on a public mu site ?
How could we filter these like suggested ? (ex: just google.com / youtube / whatever).
2266 pointsCommunity rank #25Supreme DeityMind-Blowingly HelpfulLifetime member
Member
(joined October 2007)
Likes (0)
I just tried using the unfiltered plugin and adding this: `'br' => array(
'class' => array(), 'id' => array(),
'style' => array()
),` to the array but wpmu 2.6.2 is still filtering my br tags ;-( can I please have some ideas how to allow myself to insert br tags?
2266 pointsCommunity rank #25Supreme DeityMind-Blowingly HelpfulLifetime member
Member
(joined October 2007)
Likes (0)
well I first used the unfiltered plugin from automatic which should allow all tags, but it didn't work then I tried the additional tags plugin you published here and added the above but still didn't work.
didn't work meaning: I edit a post with the code editor/view, enter a br tag, then switch to the wysiwyg editor then back to the code view again and the br tag is gone.
7430 pointsCommunity rank #7Supreme DeityMember of the MonthLifetime member
Erstwhile founder
(joined May 2007)
Likes (0)
I edit a post with the code editor/view, enter a br tag, then switch to the wysiwyg editor then back to the code view again and the br tag is gone.
I'm afraid that our plugin doesn't interact with TinyMCE in any way. It just interacts with kses. If TinyMCE is stripping the br tags then I'm afraid our plugin won't help.
2266 pointsCommunity rank #25Supreme DeityMind-Blowingly HelpfulLifetime member
Member
(joined October 2007)
Likes (0)
ahhh, now I get it. Reading your post, I realized, I had an tinyMCE plugin activated to offer more plugins for tinyMCE itsself.
Thx. for pushing me in the right direction :-)
6593 pointsCommunity rank #9Supreme DeityMember of the MonthLifetime member
Keeper of the Dark Chocolate
(joined July 2007)
Likes (0)
You use them in the post content that you write. It allows you the use of additional html tags in your content. (ie embeds, iframes, etc.)
If you're running a public mu site where outsiders can sign up and create accounts, you may want to think about the use of such a plugin. For example, take a look at how blogspot has all those hacked blogs that, for example, jump you to another site when you try to view them.
1295 pointsCommunity rank #39Supreme DeityMember of the MonthLifetime member
Lifetime member!
(joined November 2010)
Likes (0)
Revisiting a question above, is there any way to sanitize input, for example to only allow JavaScript that includes a certain string ("AdSense", "YouTube", etc.)?
For adsense, you;re going to have to create something yourself. I say that because you;re going to want to add that to the themes directly and you;re going to have to work that into your themes. You may want to look at the advert sharing plugin though. There's a sticky about this.
I;m against using the unfiltered plugin. No matter what you do for security, you;re doing to get people playing with it, trying to find a way around it. Someone may find a way around it and that'll cause you problems.
Responses (26)
Member (joined August 2008) Likes (0)
I thought allowing this on a public site is a no-no. What about security ?
Founder & CEO (joined May 2007) Likes (0)
I, ahem, don't personally think there are any huge security issues. But others have different opinions :)
Member (joined October 2007) Likes (0)
right, I agree with d_kc. The "public" or general consensus seems to be that offering that on a public site is a no-no. can anyone else share his knowledge about this? I was extremely surprised to find this plugin available here...
(joined July 2007) Likes (0)
If you read the plugin, you have to specifically allow each tag you want. Or take out the ones you don't. :) There are semi-public sites that have legit uses for being a bit more open. Or public sites with no public registrations or trusted users.
This plugin makes it easier to manage those kinds of sites, as allowing for a whole pile of varying embed codes for some niches is a huge pain in the butt otherwise.
I don't think all plugins here would be suitable for all sites. It'd be up to you to decide that. :)
Member (joined October 2007) Likes (0)
I know Andrea, I checked the code and saw which tags are included, know we can remove some and include additional ones. Just wanted to get some opinions ;-)
Thanks for sharing your position.
Keeper of the Dark Chocolate (joined July 2007) Likes (0)
A lot of folks have private mu's where signups aren't allowed outside of commenters. (ie: Our *cough* adult mus for example.) This would work well for those.
Member (joined July 2007) Likes (0)
In general, it depends on your users and your site set-up.
Me personally, I wouldn't allow embed or script tags in a completely open set-up. While the odds may be low, the risk to me is just too great. One possibility would be to further filter based on the url (if it wasn't youtube, google, etc, then strip it), but even that could be open to potential malicious use.
One may find they get away with it for quite a while without issue. But it only takes one time to kill it.
That being said, I'm not surprised it's available here as this site tries to cater to as many people and uses as possible. It would of course be up to the site admin installing such a plugin to take the responsibility for it, as the plugins here are without warranty or liability. :)
Member (joined August 2008) Likes (0)
Thanks for clarification, guys.
Member (joined August 2008) Likes (0)
What would be the ones you would not allow on a public mu site ?
How could we filter these like suggested ? (ex: just google.com / youtube / whatever).
Benjamin
Keeper of the Dark Chocolate (joined July 2007) Likes (0)
I think the issue is just not allowing any embed to be allowed, just specific ones from specific sites.
(joined July 2007) Likes (0)
It depends on the site. If it's videos, then I plunk in a video plugin. :)
Member (joined August 2008) Likes (0)
It's ok for videos :)
But I need it for all the rest (google maps, deezer, popfly, etc.)
So what's the difference with the unfiltered-mu plugin then ?
Benjamin
Keeper of the Dark Chocolate (joined July 2007) Likes (0)
I believe the unfiltered one allows all code to be added in, this lets you pick and choose.
Member (joined October 2007) Likes (0)
I just tried using the unfiltered plugin and adding this: `'br' => array(
'class' => array(), 'id' => array(),
'style' => array()
),` to the array but wpmu 2.6.2 is still filtering my br tags ;-( can I please have some ideas how to allow myself to insert br tags?
Erstwhile founder (joined May 2007) Likes (0)
Hrm, that should be working. Which unfiltered plugin are you using?
Thanks,
Andrew
Member (joined October 2007) Likes (0)
well I first used the unfiltered plugin from automatic which should allow all tags, but it didn't work then I tried the additional tags plugin you published here and added the above but still didn't work.
didn't work meaning: I edit a post with the code editor/view, enter a br tag, then switch to the wysiwyg editor then back to the code view again and the br tag is gone.
Erstwhile founder (joined May 2007) Likes (0)
I'm afraid that our plugin doesn't interact with TinyMCE in any way. It just interacts with kses. If TinyMCE is stripping the br tags then I'm afraid our plugin won't help.
Thanks,
Andrew
Member (joined October 2007) Likes (0)
ahhh, now I get it. Reading your post, I realized, I had an tinyMCE plugin activated to offer more plugins for tinyMCE itsself.
Thx. for pushing me in the right direction :-)
Member (joined February 2009) Likes (0)
Hi there - im trying to figure out how this plugin works. I have placed the additional_tags.php in /mu-plugins but nothing else.
How do I use these new tags?
Thanks,
Kenneth
Keeper of the Dark Chocolate (joined July 2007) Likes (0)
You use them in the post content that you write. It allows you the use of additional html tags in your content. (ie embeds, iframes, etc.)
If you're running a public mu site where outsiders can sign up and create accounts, you may want to think about the use of such a plugin. For example, take a look at how blogspot has all those hacked blogs that, for example, jump you to another site when you try to view them.
Member (joined February 2009) Likes (0)
Maybe im kinda slow today - but what additional tags can I use? Is there a list or do 'every' tag work?
Keeper of the Dark Chocolate (joined July 2007) Likes (0)
iframe, object, param, embed, script, div and style. If you open up the file, you should see what's now available to you.
Member (joined February 2009) Likes (0)
I see. Thank you :)
Keeper of the Dark Chocolate (joined July 2007) Likes (0)
Not a problem.
Lifetime member! (joined November 2010) Likes (0)
Revisiting a question above, is there any way to sanitize input, for example to only allow JavaScript that includes a certain string ("AdSense", "YouTube", etc.)?
Keeper of the Dark Chocolate (joined July 2007) Likes (0)
Depends.
For youtube, I'd just point folks to the oembed support that they now offer:
http://codex.wordpress.org/Embeds
For adsense, you;re going to have to create something yourself. I say that because you;re going to want to add that to the themes directly and you;re going to have to work that into your themes. You may want to look at the advert sharing plugin though. There's a sticky about this.
I;m against using the unfiltered plugin. No matter what you do for security, you;re doing to get people playing with it, trying to find a way around it. Someone may find a way around it and that'll cause you problems.
Hope this helps,
-drmike
WordPress Questions?
We've got answers!
Find out more »