We no longer permit arbitrary plugins to allow users to save custom CSS, JavaScript, or PHP within the plugin.
The primary reason for this is that WordPress includes it's own, robust, error-checking, CSS editor in the Customizer already. Any time your plugin replicates functionality found in WordPress (i.e. the uploader, jquery) is frowned upon, as it presents a possible security risk. The features in WordPress have been tested by many more people than use most plugins, so the built in tools are less likely to have issues.
As for JavaScript, we recognizing that script insertion plugins are amazing and powerful. They're also incredibly dangerous and require a high level understanding of sanitization, security, and usage. And in the case of most plugins, these are entirely unnecessary. You should never be asking users to paste in arbitrary JavaScript. Instead have them paste in the values custom to their scripts, and generate the rest on your own.
PHP is even more complex. This is why WordPress itself allows you to lock people out of being able to edit theme and plugin files directly (via DEFINES that are used by many managed hosts), but also has a serious of post-processing checks that verify the site will still function after any changes.
Please remove this from your plugin:
tkt-maintenance/admin/class-tkt-maintenance-admin.php:358: public function custom_js_cb() {
tkt-maintenance/admin/class-tkt-maintenance-admin.php:369: public function custom_css_cb() {
smileBeda
commented
3 years ago
We no longer permit arbitrary plugins to allow users to save custom CSS, JavaScript, or PHP within the plugin.
The primary reason for this is that WordPress includes it's own, robust, error-checking, CSS editor in the Customizer already. Any time your plugin replicates functionality found in WordPress (i.e. the uploader, jquery) is frowned upon, as it presents a possible security risk. The features in WordPress have been tested by many more people than use most plugins, so the built in tools are less likely to have issues.
As for JavaScript, we recognizing that script insertion plugins are amazing and powerful. They're also incredibly dangerous and require a high level understanding of sanitization, security, and usage. And in the case of most plugins, these are entirely unnecessary. You should never be asking users to paste in arbitrary JavaScript. Instead have them paste in the values custom to their scripts, and generate the rest on your own.
PHP is even more complex. This is why WordPress itself allows you to lock people out of being able to edit theme and plugin files directly (via DEFINES that are used by many managed hosts), but also has a serious of post-processing checks that verify the site will still function after any changes.
Please remove this from your plugin: tkt-maintenance/admin/class-tkt-maintenance-admin.php:358: public function custom_js_cb() { tkt-maintenance/admin/class-tkt-maintenance-admin.php:369: public function custom_css_cb() {