New to the community? Start here

embed issues

Hi All,

We use the vipers tags plugin on our sceno site to allow users to display video.

However on our online testing site (which I also run my personnel site off) I was planning on enabling embedding. Am I correct in thinking that the only security issues surrounding this are user related?

And by that I mean the only danger is that users could embed something nasty (which obviously wouldn’t be an issue in this case unless I get really drunk one night and decide to hack my own site in a desperate plea for attention)

Wed, 22 Apr 2009 14:40:04
  • drmike
    • DEV MAN’s Mascot

    Am I correct in thinking that the only security issues surrounding this are user related?

    Depends. What specific method of allowing embedding do you plan on using and to whom will you allow the use of embedding? Considering that the recent security bugs have all allowed those doing the hacking to gain admin level access, or at least that’s how I read it, I would think even allowing admins only to have embed access would even be a possible security concern.

    For example, take a look at the recent thread about the robots.txt file pluging here in the forums. I was able to add in a javascript via a simple copy and paste that was saved directly to the database. (Still rather surprised that no one was willing to comment on that.)

    I wouldn’t do it myself and I don’t allow my installs to do so. Takes five minutes to write up a shortcode filter plugin. I would think that would save you tons of trouble down the road.

  • andrea_r
    • The Incredible Code Injector

    On the other hand, if the entire WPMU install has a small handful of users (like Ron & I have one for our various blogs) there’s absolutely no reason to *not* put in the unfiltered MU plugin.

    So for your test site? Sure. Might affect things when you roll changes into the production site though.

  • drmike
    • DEV MAN’s Mascot

    If it;s just you and your coworkers like Andrea mentions, I;d say there’s little risk.

    If it’s an open system, you stand a good chance of turning into another blogger/blogspot with spammers sticking in redirects.

    I’ve actually been tempted to take a shot at edublogs but I don’t know how James would take that.

    We’ve been kicking around the idea of replacing kses completely with the other filter system we talked about a couple weeks ago. (do a search here for robots.txt. It should come up.)