WP.com API: Allow Users to Insert Header Code #34881
Conversation
github-actions
bot
added
[Feature] WPCOM API
[Plugin] Jetpack
|
Thank you for your PR! When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:
This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖 The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available. Jetpack plugin: The Jetpack plugin has different release cadences depending on the platform:
If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack. |
github-actions
bot
added
the
OSS Citizen
| } | ||
|
|
||
| if ( ! empty( $option ) && ! is_admin() ) { | ||
| echo wp_unslash( $option, 'post' ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped |
There was a problem hiding this comment.
What's the best way of handling escaping for something like this? I wasn't quite sure.
There was a problem hiding this comment.
In theory, probably some form of wp_kses(). But since the intent of this is to allow for <script> tags there doesn't seem much point in bothering, since if script tags are allowed an attacker able to set this option could do anything they want anyway.
Pointing that out in a comment might be helpful.
anomiex
added
the
[Status] Needs Review
| @@ -1115,6 +1116,13 @@ function ( $category_id ) { | |||
|
|
|||
| break; | |||
|
|
|||
| case 'jetpack_header_code': | |||
| if ( update_option( $key, $value ) ) { | |||
There was a problem hiding this comment.
Should we perform any safety checks on save? Are we good with any input without any verification?
There was a problem hiding this comment.
Are we good with any input without any verification?
I think so, but happy to be corrected if I'm missing anything obvious. It also seems consistent with what the other options do.
|
Would someone from Jetpack mind checking for a product review decision on that? Happy to include some UI if it's something which Jetpack folks would be keen on. |
That is definitely something we would need to discuss before we move forward. I'll comment on the original issue so we can continue this discussion. |
jeherve
added
[Status] Blocked / Hold
[Status] Needs Product Review
|
This PR has been marked as stale. This happened because:
If this PR is still useful, please do a [trunk merge or rebase](https://github.com/Automattic/jetpack/blob/trunk/docs/git-workflow.md#keeping-your-branch-up-to-date) and otherwise make sure it's up to date and has clear testing instructions. You may also want to ping possible reviewers in case they've forgotten about it. Please close this PR if you think it's not valid anymore — if you do, please add a brief explanation. If the PR is not updated (or at least commented on) in another month, it will be automatically closed. |
|
I still feel this PR is useful! But also still awaiting a product review…wonder if it might be possible to get a decision on that? |
|
This PR has been marked as stale. This happened because:
If this PR is still useful, please do a [trunk merge or rebase](https://github.com/Automattic/jetpack/blob/trunk/docs/git-workflow.md#keeping-your-branch-up-to-date) and otherwise make sure it's up to date and has clear testing instructions. You may also want to ping possible reviewers in case they've forgotten about it. Please close this PR if you think it's not valid anymore — if you do, please add a brief explanation. If the PR is not updated (or at least commented on) in another month, it will be automatically closed. |
Required for Automattic/wp-calypso#86079
Proposed changes:
I thought about adding a separate endpoint like Custom CSS in case it handles a large amount of code, but I decided against it for a few reasons: realistically, I think this will mainly be used for a couple of meta tags; the endpoint already handles large amounts of data (including subscription email HTML and post categories!) and this isn't any larger relative to those, and also I don't think I can add another endpoint on the Calypso side since that's not open-source.
Jetpack product discussion
See Automattic/wp-calypso#56023.
Does this pull request change what data or activity we track or use?
No.
Testing instructions:
I always need help testing endpoints. :) I haven't actually been able to do this from an Atomic site, but I have from a Jetpack one.
/settings/header-code/siteFor example - saving this on the Calypso side:
Should lead to this:
