7.2.3. Short Codes Section
This section contains settings that are used to allow sources, such as JavaScript and iframe, to
be shown in your site. These settings exist, because sources such as JavaScript and iframe
can be harmful to your site, leaving some security holes. Therefore, you should only allow these
kind of sources from the domains you trust. You can research this on the Internet for more
information.
The settings require a domain to be entered.
- Domain
- The value entered into this field will be used to validate the domain from which the source comes. What is referred to as domain is the host part of the source’s URL. The host part can basically be defined as the part of the URL that is between - (http(s):)//part and the first forward slash (- /) coming after this part. Examples are given in Table 7.15.- Table 7.15 URLs and their host parts - URL - Host - https://www.youtube.com/embed/videoId - www.youtube.com - //www.instagram.com/embed.js - www.instagram.com - https://platform.twitter.com/widgets.js - platform.twitter.com - https://player.vimeo.com/video/videoId - player.vimeo.com - //assets.pinterest.com/js/pinit.js - assets.pinterest.com - Now that we know what the host part of a URL is, let’s look at how to allow them. You can allow a domain by entering its host part directly. Also, you can use wildcard character - *to match unknown parts of the host part. Examples are given in the following table.- Table 7.16 Examples of - domainvalues matching hosts- Value of this setting - Allowed - Host - www.youtube.com - Yes - www.youtube.com - No - youtube.com - No - studio.youtube.com - www.instagram.com - Yes - www.instagram.com - No - instagram.com - *.twitter.com - Yes - platform.twitter.com - Yes - www.twitter.com - No - twitter.com - *twitter.com - Yes - twitter.com - Yes - somethingtwitter.com - Yes - platform.twitter.com - *twitter.* - Yes - twitter.com - Yes - twitter.net - Yes - somethingtwitter.org - As it is shown in Table 7.16, you can directly enter a host as the value of this input. You can also use - *character to match anything that you do not know. You can see that using- *twitter.commatches all subdomains. However, it matches any domain that ends with- twitter.com. Therefore, if you want to allow a domain and all of its subdomains, it is recommended that you enter two values as- *.twitter.comand- twitter.com. These allow all sources coming from twitter.com and all of its subdomains.- The following table shows a few examples to allow all domains and their subdomains for certain web sites. - Table 7.17 Examples of allowing a domain and all of its subdomains - Host - Value of - domainallowing all domains and subdomains- youtube.com *.youtube.comyoutube.com- twitter.com *.twitter.comtwitter.com- instagram.com *.instagram.cominstagram.com
Important
If a source URL’s host part does not match any of the defined domain values, then the plugin
will not parse the short codes. For example, if an iframe’s source is not allowed, then
the short code that is supposed to show the iframe will not show anything.
7.2.3.1. Allowed domains for iframe short code
When Convert iframe elements to short code setting is enabled, the plugin automatically
converts iframe elements in the post content into a short code so that WordPress displays the
iframe elements. This setting defines the allowed domains of the source URLs of iframe
elements.
7.2.3.2. Allowed domains for script short code
When Convert script elements to short code setting is enabled, the plugin automatically
converts script elements in the post content into a short code so that WordPress displays the
script elements. This setting defines the allowed domains of the source URLs of script
elements.