Quote:
Originally Posted by CyberSEO
My end user is a person who uses my plugin at his/her site. Why he can't insert HTML/JS/etc into his own site with my plugin?
|
What about this quote you posted:
Quote:
|
IF you can find an acceptable alternative (like 'here are a list of ads we support, put in your custom IDs here...') we're happy to keep working on this.
|
This suggests that you are allowed to, for example, add a form where the user can enter his partner ID for whatever affiliate program.
Then you can sanitize that ID, and safely insert the ID into the rest of the banner code.
Perhaps I'm wrong but it looks as if they only disallow end-users to insert any code themselves (probably due to security risk when there's an exploit, as anyone would now be able to insert any evil javascript or PHP code he wants).
However, when you only allow the user to insert his partner ID through a form, the plugin can first sanitize that input (the partner ID), before including it into the final code (non-editable) and finally embed the output on page, thus eliminating the risk of "evil code".
For example, a form where users can submit:
- an affiliate url
- the link to media file (for the banner)
I think, would be totally fine, because you can then sanitize and validate both user input, before including it into the final <a href='ÚSER INPUT 1'><img src='USER INPUT 2'></a> code, which then gets injected on page etc.
Might not be what you were trying to build exactly, but I kinda get it from a security stand point. I mean, what if the user ends up using your plugin (allowing code to be inserted without sanitizing it) in combination with some sort of heavily outdated theme, full of XSS holes?