[wp-trac] [WordPress Trac] #32482: Fix TinyMCE js include
WordPress Trac
noreply at wordpress.org
Mon May 25 10:29:38 UTC 2015
#32482: Fix TinyMCE js include
----------------------------+--------------------------------------------
Reporter: yoni y | Owner:
Type: task (blessed) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: TinyMCE | Version: 4.2.2
Severity: normal | Keywords: wp-include, htaccess, security
Focuses: |
----------------------------+--------------------------------------------
it seems like today TinyMCE js code is being included and generated from
the file -
wp-includes/js/tinymce/wp-tinymce.php
I'm not sure why this was originally included this way and if there are
any other include following the same practice, but this seems like an
unfavourable way to load js dependencies from several reasons -
- Generating a static file on the file seems like a waste of resources.
- This script mimic a web server changing include headers and decided
weather to serve a compressed file or a plain text one. this seems like
something that should be left to the handling web server.
- Having a php files in the wp-include that runs directly by the web
server seems like it might have some security implications. sure we can
craft a .htaccess file that will only allow only this specific files to be
run and block all others. but it will be much more simple and easy to
maintain if all php scripts under wp-includes will just be blocked from
direct access.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32482>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list