Hi there,
I have no plans on having an option to remove this.
This is useful for me for support reasons:
– Enclosing my plugin tags around the comments let’s me know which are mine and not other plugins tags, and easily debug problems;
– The version it’s important for me to know if the user is using last version or not;
This causes no security problems. This plugin does not manipulate data in any way. Even if a security flaw was found on a specific version it would only affect the output of this tags.
Hi, and thanks for the reply. I’m afraid I didn’t explain myself as clearly as I should have. If you consider the HTML comments as debugging information, here’s the current situation:
- Debugging is turned on by default.
- The siteadmin can not turn it off in any update-safe way.
Proposed situation:
- Debugging is turned on by default (no change).
- The siteadmin can turn it off in an update-safe way. Naturally, the siteadmin can turn it back on when desired. (The fact that they do is dependent on the implementation. Try having “Any issues? Make sure that Debugging is turned on and let us know in the support forum!” in a visible place.
The benefits:
- Security. Even if this plugin does not have a security flaw ever, HTML comments are a very used way to find information about site internals. The most safe site is where a potential attacker does not even have a clue how to begin attacking it; the least safe site basically hands the attacker all the information that can potentially be used against the site.
- Performance. Every HTML character transmitted costs in speed for both the site owner and the client. The only non-private, non-dev-version software I’ve ever seen that ships with debugging forced on are a few odd WordPress plugins. The rest of the world uses the standard practice of having an option to turn debugging on when needed.
There are other, more minor issues, such as showing a bad example for other plugin developers. The more software there is that runs with debugging forced on, the harder it is to help plugin developers understand the security and performance reasons. If there’d be only one piece of software at a time that runs with that option it’d be far more likely for the author to notice “Hey! Why is everyone else not using this sweet forced debugging option? Maybe, just maybe people in software development around the world have noticed something during their decades of development work that I might learn from. I’ll best investigate this…”
I hope you would reconsider the issue of forcing everyone to use an option some would rather disable for (in their opinion) good reasons. Most plugins and other software doesn’t even have an option for the users to turn the debugging on at all, so even having the option on by default is a big step away from the majority of software in this regard.
