-
Notifications
You must be signed in to change notification settings - Fork 798
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WP.com API: Allow Users to Insert Header Code #34881
base: trunk
Are you sure you want to change the base?
Conversation
Thank you for your PR! When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:
This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖 The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available. Jetpack plugin: The Jetpack plugin has different release cadences depending on the platform:
If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack. |
} | ||
|
||
if ( ! empty( $option ) && ! is_admin() ) { | ||
echo wp_unslash( $option, 'post' ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the best way of handling escaping for something like this? I wasn't quite sure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In theory, probably some form of wp_kses()
. But since the intent of this is to allow for <script>
tags there doesn't seem much point in bothering, since if script tags are allowed an attacker able to set this option could do anything they want anyway.
Pointing that out in a comment might be helpful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, will do!
@@ -1115,6 +1116,13 @@ function ( $category_id ) { | |||
|
|||
break; | |||
|
|||
case 'jetpack_header_code': | |||
if ( update_option( $key, $value ) ) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we perform any safety checks on save? Are we good with any input without any verification?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we good with any input without any verification?
I think so, but happy to be corrected if I'm missing anything obvious. It also seems consistent with what the other options do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It also may be worth discussing if this field should have a UI in Jetpack, or if it's enough to have it in WP.com.
Would someone from Jetpack mind checking for a product review decision on that? Happy to include some UI if it's something which Jetpack folks would be keen on. |
That is definitely something we would need to discuss before we move forward. I'll comment on the original issue so we can continue this discussion. |
This PR has been marked as stale. This happened because:
If this PR is still useful, please do a [trunk merge or rebase](https://github.com/Automattic/jetpack/blob/trunk/docs/git-workflow.md#keeping-your-branch-up-to-date) and otherwise make sure it's up to date and has clear testing instructions. You may also want to ping possible reviewers in case they've forgotten about it. Please close this PR if you think it's not valid anymore — if you do, please add a brief explanation. If the PR is not updated (or at least commented on) in another month, it will be automatically closed. |
I still feel this PR is useful! But also still awaiting a product review…wonder if it might be possible to get a decision on that? |
This PR has been marked as stale. This happened because:
If this PR is still useful, please do a [trunk merge or rebase](https://github.com/Automattic/jetpack/blob/trunk/docs/git-workflow.md#keeping-your-branch-up-to-date) and otherwise make sure it's up to date and has clear testing instructions. You may also want to ping possible reviewers in case they've forgotten about it. Please close this PR if you think it's not valid anymore — if you do, please add a brief explanation. If the PR is not updated (or at least commented on) in another month, it will be automatically closed. |
Required for Automattic/wp-calypso#86079
Proposed changes:
I thought about adding a separate endpoint like Custom CSS in case it handles a large amount of code, but I decided against it for a few reasons: realistically, I think this will mainly be used for a couple of meta tags; the endpoint already handles large amounts of data (including subscription email HTML and post categories!) and this isn't any larger relative to those, and also I don't think I can add another endpoint on the Calypso side since that's not open-source.
Jetpack product discussion
See Automattic/wp-calypso#56023.
Does this pull request change what data or activity we track or use?
No.
Testing instructions:
I always need help testing endpoints. :) I haven't actually been able to do this from an Atomic site, but I have from a Jetpack one.
/settings/header-code/site
For example - saving this on the Calypso side:
![Screenshot 2024-01-06 at 15 26 22](https://cdn.statically.io/img/private-user-images.githubusercontent.com/43215253/294699414-62156dae-c53e-4d91-a779-1d2d7ddd3803.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjM1NTI0NTgsIm5iZiI6MTcyMzU1MjE1OCwicGF0aCI6Ii80MzIxNTI1My8yOTQ2OTk0MTQtNjIxNTZkYWUtYzUzZS00ZDkxLWE3NzktMWQyZDdkZGQzODAzLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA4MTMlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwODEzVDEyMjkxOFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTM5OTEyYzU1NDc3ZGYwNmY3ODc4MGYwYjk3YmEyY2U2YzEzZjYxYTExMTQyZmYyZGZiYTRmYzAzNjZjYTYyZTMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.tkIuvfW8obYZx89uJAItvATzdWag0_UiJBvnjMCxXJU)
Should lead to this:
![Screenshot 2024-01-06 at 15 47 13](https://cdn.statically.io/img/private-user-images.githubusercontent.com/43215253/294700102-79e5638a-f32f-4fb0-96c7-16ed4faec36a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjM1NTI0NTgsIm5iZiI6MTcyMzU1MjE1OCwicGF0aCI6Ii80MzIxNTI1My8yOTQ3MDAxMDItNzllNTYzOGEtZjMyZi00ZmIwLTk2YzctMTZlZDRmYWVjMzZhLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA4MTMlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwODEzVDEyMjkxOFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWEzNDQ1N2ZjNGYzMzVhZTBlZjkyZTgzMDI3YTNlNjJjZmMyYjVkNmQyOWMxNWM2ZGZkZWViMDUxZjYzMzI0OTAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.XssHMxXL7A5gLKLwMnfs9lSiV7Fiz4WZ98DHVsGuErM)