WordPress.org

Ready to get started?Download WordPress

Forums

Facebook Open Graph Meta Tags for WordPress
[resolved] [Plugin: Wonderm00n's Simple Facebook Open Graph Meta Tags] [REQ] Option to disable the output (3 posts)

  1. Daedalon
    Member
    Posted 1 year ago #

    Just installed 0.3, thanks for the fixes. However, as we want to remove all HTML comments for security and performance reasons, we now have to edit the plugin code again manually to remove these lines from each of our pages' HTML:

    <!-- START - Wonderm00n's Simple Facebook Open Graph Tags 0.3 -->
    <!-- END - Wonderm00n's Simple Facebook Open Graph Tags -->

    I know there are plugins for this, but ideally security and performance shouldn't be something for which you have to install separate plugins. Not least because new plugins always take a bit more system resources and add new possibilities for security issues.

    Would you be kind enough to make the output of these HTML comments optional by adding a user setting for that?

    http://wordpress.org/extend/plugins/wonderm00ns-simple-facebook-open-graph-tags/

  2. wonderm00n
    Member
    Plugin Author

    Posted 1 year ago #

    Hi there,

    I have no plans on having an option to remove this.

    This is useful for me for support reasons:
    - Enclosing my plugin tags around the comments let's me know which are mine and not other plugins tags, and easily debug problems;
    - The version it's important for me to know if the user is using last version or not;

    This causes no security problems. This plugin does not manipulate data in any way. Even if a security flaw was found on a specific version it would only affect the output of this tags.

  3. Daedalon
    Member
    Posted 1 year ago #

    Hi, and thanks for the reply. I'm afraid I didn't explain myself as clearly as I should have. If you consider the HTML comments as debugging information, here's the current situation:

    • Debugging is turned on by default.
    • The siteadmin can not turn it off in any update-safe way.

    Proposed situation:

    • Debugging is turned on by default (no change).
    • The siteadmin can turn it off in an update-safe way. Naturally, the siteadmin can turn it back on when desired. (The fact that they do is dependent on the implementation. Try having "Any issues? Make sure that Debugging is turned on and let us know in the support forum!" in a visible place.

    The benefits:

    1. Security. Even if this plugin does not have a security flaw ever, HTML comments are a very used way to find information about site internals. The most safe site is where a potential attacker does not even have a clue how to begin attacking it; the least safe site basically hands the attacker all the information that can potentially be used against the site.
    2. Performance. Every HTML character transmitted costs in speed for both the site owner and the client. The only non-private, non-dev-version software I've ever seen that ships with debugging forced on are a few odd WordPress plugins. The rest of the world uses the standard practice of having an option to turn debugging on when needed.

    There are other, more minor issues, such as showing a bad example for other plugin developers. The more software there is that runs with debugging forced on, the harder it is to help plugin developers understand the security and performance reasons. If there'd be only one piece of software at a time that runs with that option it'd be far more likely for the author to notice "Hey! Why is everyone else not using this sweet forced debugging option? Maybe, just maybe people in software development around the world have noticed something during their decades of development work that I might learn from. I'll best investigate this..."

    I hope you would reconsider the issue of forcing everyone to use an option some would rather disable for (in their opinion) good reasons. Most plugins and other software doesn't even have an option for the users to turn the debugging on at all, so even having the option on by default is a big step away from the majority of software in this regard.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.