Open rizaardiyanto1412 opened 3 months ago
@stevejburge @rizaardiyanto1412 I'm not sure we're ready for the security consequences of allowing this option?
Allowing option for external url may open up a security loopholes bad actor could exploit and the possibility is limitless, no matter how much sanitation we do or how careful we are, we never can be sure and I've come across of where people rename malicious link to jpg to execute in the frontend.
I think what we could do is making the default avatar filterable and for someone that knows code, they can do it themselves and we have nothing to worry about about potential vulnerability as they put this code in their theme and it's better than allowing someone that has capability to access admin settings to do so.
So, filter is much suitable in this situation rather than taking the risk.
@ojopaul I agree. Too much risk here
I also agree with the solution to provide the filter instead
Thumbs up from me too, @ojopaul
Do you guys think it's good idea to add external URL as image Avatar here?
Original request: https://wordpress.org/support/topic/use-external-image-url-for-authors-schema-object-yoast-seo/