[buddypress-trac] [BuddyPress] #2707: Support oembed
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Tue Jul 12 01:36:06 UTC 2011
#2707: Support oembed
---------------------+--------------------------------------------------
Reporter: DJPaul | Owner:
Type: defect | Status: new
Priority: major | Milestone: 1.3
Component: Core | Version: 1.3
Resolution: | Keywords: has-patch needs-refresh dev-feedback
---------------------+--------------------------------------------------
Comment (by r-a-y):
current_user_can() applies to the logged-in user, which 99% of the time is
okay. However if you're programmatically adding content (like using
bp_activity_add()), current_user_can() will return false.
Since this is an edge case, I'm okay with this.
Now, let's say an admin wanted to allow oEmbed discovery, it would require
adding the "unfiltered_html" capability to a role.
If the admin adds the "unfiltered_html" capability to the base role of
Subscriber, this would work from a security standpoint because Subscribers
cannot publish WP posts and it will still allow BP to use oEmbed
discovery, so that's good!
oEmbed discovery is relatively safe anyway! It would take some work by a
culprit just to embed a piece of malicious script. (eg. setup a domain and
an oEmbed endpoint and a user would have to paste a URL from said domain.)
Patch on the way!
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/2707#comment:27>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list