[wp-hackers] Using wp-content/uploads to store dynamically created js and CSS

Nicola Peluchetti nicola.peluchetti at gmail.com
Wed Jan 8 22:02:34 UTC 2014 

Yes all the CSS for the plugin ( including bootstrap3 ) is generated
dynamically and it's quite big. Of course it's not generated on every
request, it's stored and regenerated only if needed. Js is just built from
pieces at the moment.

We've had a folder under wp-content for a long time where we stored themes
but that has always been a pain, one time out of three there was no write
access. In fact we are deprecating that in 2.0.

I thought about wp-content/uploads because i guess that, if there is just
one folder which is writable,  it must be that.

Why do you say it's unsafe?Is there some possibility that malitious users
could exploit that?I mean is it a safety risk?Because obviously i don't
care if anyone can access my CSS and JS code.


*Nicola Peluchetti - Senior PHP Developer @ Timely*
Twitter: @nik_peluchetti <https://twitter.com/#!/nik_peluchetti>
Facebook: nicola.peluchetti <https://www.facebook.com/nicola.peluchetti>
Stackoverflow: Stackoverflow<http://stackoverflow.com/users/397861/nicola-peluchetti>
Mobile: +39 339 7507235


On Wed, Jan 8, 2014 at 10:33 PM, Otto <otto at ottodestruct.com> wrote:

> On Wed, Jan 8, 2014 at 2:39 PM, Nicola Peluchetti
> <nicola.peluchetti at gmail.com> wrote:
> > I've read this article
> > http://ottopress.com/2011/tutorial-using-the-wp_filesystem/ where Otto
> says
> > to inline, but if i inline my js / css is not cached by the browser
> > right?And we are talking about 500kb so it's not trivial.
>
>
> First, are you seriously dynamically generating over 500kb of CSS/JS
> files? Or are you really only generating some of the pieces of those
> files while the rest of them is relatively static? What is the
> "static" to "dynamic" ratio?
>
> I ask because it's perfectly possible to make the static parts static,
> and the dynamic parts inline. JS variables, inline CSS, etc. Just
> because you have it all clumped together currently doesn't mean that
> that is the only possible way.
>
> Secondly, if you do generate a ton of content for whatever reasons,
> you should not store any CSS or JS content in the /uploads directory.
> Instead, make your own directory under /wp-content and store the files
> there instead. The WP_Filesystem object has a function called
> wp_content_dir() that will return the content directory on the
> "remote" filesystem. Using this and the mkdir() function in that same
> object, you can create your own directory to store the files in, write
> them, and then use those URLs instead.
>
> Storing content that will be included into the page in the uploads
> folder is generally unsafe, due to some configurations of shared
> hosting. It's relatively safe for inline media images, video, etc),
> but it is not safe for CSS or JS content.
>
> -Otto
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list