search

publishpress / PublishPress-Authors

PublishPress Authors is the best plugin for adding many authors to one WordPress post. You can create multiple authors, co-authors and guest authors.
14 stars 7 forks source link

Add External URL Image on Avatar Profile #1751

Open rizaardiyanto1412 opened 3 months ago

rizaardiyanto1412 commented 3 months ago

Do you guys think it's good idea to add external URL as image Avatar here?

image

Original request: https://wordpress.org/support/topic/use-external-image-url-for-authors-schema-object-yoast-seo/

ojopaul commented 3 months ago

@stevejburge @rizaardiyanto1412 I'm not sure we're ready for the security consequences of allowing this option?

Allowing option for external url may open up a security loopholes bad actor could exploit and the possibility is limitless, no matter how much sanitation we do or how careful we are, we never can be sure and I've come across of where people rename malicious link to jpg to execute in the frontend.

I think what we could do is making the default avatar filterable and for someone that knows code, they can do it themselves and we have nothing to worry about about potential vulnerability as they put this code in their theme and it's better than allowing someone that has capability to access admin settings to do so.

So, filter is much suitable in this situation rather than taking the risk.

rizaardiyanto1412 commented 3 months ago

@ojopaul I agree. Too much risk here

I also agree with the solution to provide the filter instead

stevejburge commented 3 months ago

Thumbs up from me too, @ojopaul