WordPress.org

Ready to get started?Download WordPress

Forums

Raw HTML Snippets
feature suggestion - admin only access (2 posts)

  1. peteratomic
    Member
    Posted 2 years ago #

    I gave this a five star rating previously and am thinking about taking it down a notch as I just discovered that contributors and authors have access. Think you should add the option of changing the access level as it means any contributor could add whatever code they want. Not a huge risk with our community, but enough that some kind of restriction should be added IMHO.

    http://wordpress.org/extend/plugins/raw-html-snippets/

  2. DestinyArchitect
    Member
    Posted 2 years ago #

    1. LXJV4T=I strongly second the gist of this suggestion, specifically:
      1. LXJV5G=Who can create & edit these snippets (which could run dangerous code) must be limited (except on a site where all logins are fully trusted, a big limitation).
        1. LXJVNV=But, a refinement of the prior post, it need not only be a role limited to admins. Instead ideally it would a role grantable by an admin (or by one granted by an admin to grant the role).
      2. LXJV5S=Indeed, if this fix is done, this would appear a very tool -indeed fairly unique in this aspect.
      3. LXJV5Y=But the present situation I call drawback LXIYL8, a serious security hole,
        1.  LXJV92=as this safety mechanism LXJV5G (above) appears missing as:
          1. LXJW7V=the prior post report it is (and that's just 2 weeks ago, but the plugin (latest "Version 1.1.2") was "Last Updated: 2011-5-18" --not recent enough)
          2. LXJW85=the official docs don't say otherwise.
        2. LXJVBZ=so the reason I didn't install this plugin.
          1. LXJV64=Indeed only considered the plugin originally because I was guessing this security hole wouldn't be there, since it's so obvious (analogous  to, in a Unix, allowing arbitrary user to create an executable file which instead run with almost-admin permissions: an obvious no-no). But fortunately, just, before installing this plugin, I searched reviews about it and found this thread on top.
      4. LXJVDQ=So in the meantime
        1. LXJVDZ=I'm not using such plugin since presently since (I can't find something as easy but also safe) and  I need to do is inject CSS (so add it to the style file), still
        2. LXJVE9=the best alternative plugin I have seen (but not by trying it) is PHP Snippets -indeed, it allows for arbitrary PHP (so presumably JavaScript & CSS, too), but the code must be created by one able to edit PHP code so no security hole.
      5. LXJVLY=Hope this feedback helps.
      6. LXJW0Z=(Aside: What are these codes "LXJW0Z" on this point?)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic