WordPress.org

Ready to get started?Download WordPress

Forums

Editor style url access? (3 posts)

  1. gallantfish
    Member
    Posted 4 months ago #

    Excuse me for my lack of time to get into the codex and find it out by myself (I'm not a formal programmer so it'd take me forever to decypher it), but is the editor-style.css file url-accessable for non-registered visitors?

    In other words: is my wysiwig editor scripts processing a stylesheet whose location was easy to guess (and thus, to hack) ?

    Thanks.

  2. Bryan Purcell
    Member
    Posted 4 months ago #

    No, that file isn't loaded on the frontend, so its address wont be visible to the outside world. If you name it a randomly generated code - that will make it very difficult for a bad guy to access it from the frontend. That said, unless you're using SSL for the admin - I wouldn't consider this a secure method of hiding data.

    I'm also not sure why you're concerned - I can't see how a malicious user would be able to use a typical editor-styles.css to do any harm

    cheers,
    Bryan

  3. gallantfish
    Member
    Posted 4 months ago #

    Oh, I didn't know I can name it anything.
    I followed WP codex and anyone is told to name it editor-style.css.

    Well, the css loads directly in a logged in browser, in an environment that proccess it by JS TinyMCE. I can't predict that far but I guess it's not an obvious place where security has been reinforced.

    Good to know that someone else has the certainty :)

Reply

You must log in to post.

About this Topic