[buddypress-trac] [BuddyPress] #2707: Support oembed

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Tue Jul 12 01:36:06 UTC 2011

#2707: Support oembed
  Reporter:  DJPaul  |      Owner:
      Type:  defect  |     Status:  new
  Priority:  major   |  Milestone:  1.3
 Component:  Core    |    Version:  1.3
Resolution:          |   Keywords:  has-patch needs-refresh dev-feedback

Comment (by r-a-y):

 current_user_can() applies to the logged-in user, which 99% of the time is
 okay.  However if you're programmatically adding content (like using
 bp_activity_add()), current_user_can() will return false.

 Since this is an edge case, I'm okay with this.

 Now, let's say an admin wanted to allow oEmbed discovery, it would require
 adding the "unfiltered_html" capability to a role.

 If the admin adds the "unfiltered_html" capability to the base role of
 Subscriber, this would work from a security standpoint because Subscribers
 cannot publish WP posts and it will still allow BP to use oEmbed
 discovery, so that's good!

 oEmbed discovery is relatively safe anyway!  It would take some work by a
 culprit just to embed a piece of malicious script. (eg. setup a domain and
 an oEmbed endpoint and a user would have to paste a URL from said domain.)

 Patch on the way!

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/2707#comment:27>
BuddyPress <http://buddypress.org/>

More information about the buddypress-trac mailing list