[wp-trac] [WordPress Trac] #16996: oEmbed: Allow custom arguments to be specified
WordPress Trac
wp-trac at lists.automattic.com
Wed Jun 6 13:35:15 UTC 2012
#16996: oEmbed: Allow custom arguments to be specified
-------------------------------------+------------------------------
Reporter: newmediarts | Owner:
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Embeds | Version: 3.1
Severity: normal | Resolution:
Keywords: has-patch needs-testing |
-------------------------------------+------------------------------
Comment (by nacin):
I thought I've already posted here before, but arbitrary custom arguments
can result in security flaws.
oEmbed is about trust — you trust the provider to return safe information.
At the moment, the only thing a user can affect is the suggested width and
height. More parameters means the possibility of injecting raw CSS,
JavaScript, or HTML, all of which would be insecure; or an unsanitized
parameter (we've had issues with providers simply sanitizing the widths
and heights as integers), etc.
Distinct filters here (if there aren't already one) are probably the best
we can do, to allow A) plugins to add more arguments to an oEmbed fetch,
and B) plugins to add more accepted arguments for an oEmbed shortcode on a
per-provider basis.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/16996#comment:17>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list