The `pymsrc` option allows users to load arbitrary javascript on the page. about pym-shortcode HOT 4 CLOSED

Thought on this:

• Create an admin page, accessible to super-admins on multisite and admins on single-site, that allows whitelisting sources for the pymsrc and whitelisting domains for the src attribute.
• As a default, whitelist the current site's default pymsrc URL and the current domain.
• At page render time, only output the pymsrc script on the page if it's in the whitelist. Only output the src on the page if it's in the whitelist.
• For a version before the on-render whitelisting goes active, for each site, set up some sort of cron job or something that looks at posts with the [pym shortcode and adds their pymsrcs and src domains to the whitelist, before we present the whitelist to the users.
• On post save, throw an error in the admin if the post's pymsrc or pym domain aren't whitelisted. include a link to an explanation why. Include the text of the forbidden shortcode. In the post, leave the shortcode there but change the attribute names so that they're obviously not working.
  • maybe include a list of users with the appropriate permission to do the edit?

Why limit it to those users? They're who can put <script> tags in posts, by default. (This is the unfiltered_html permission). By limiting editing the whitelist to those users, we raise the trust level required to put javascript on the page. Right now it's anyone who can edit who determines what javascript is allowed on the page. This change limits the determination of what javascript is allowed to the people who normally have that permission.

Why collect data for a version before it goes active? Because if we launch whitelisting with an empty whitelist, we have the chance of silently breaking everyone's existing embeds.

Why cause an error? Because we need to provide feedback that the embed isn't permitted. Why provide instructions? So people know how to remedy the error.

from pym-shortcode.

Another possible solution:

• on the settings page #32, register a setting that allows admins to enable the pymsrc attribute, which would be disabled by default.
• If the attribute is enabled, allow the custom pymsrc.

from pym-shortcode.

Like, at minimum, we should be using https://developer.wordpress.org/reference/functions/wp_http_validate_url/ or something to make sure that the URL is valid.

from pym-shortcode.

register a setting that allows admins to enable the pymsrc attribute, which would be disabled by default.

This would be a breaking change for sites that have used an alternate pymsrc.

However, we can encourage admins in the upgrade notes and in the general readme and in the install notes to check the box and set the pymsrc to the CDN. As part of this, link to the "how to test upgrading this plugin on your site" docs, which should be written as part of #32.

from pym-shortcode.