6.2.2. Short Codes Section
This section contains settings that are used to allow sources, such as JavaScript and iframe
, to
be shown in your site. These settings exist, because sources such as JavaScript and iframe
can be harmful to your site, leaving some security holes. Therefore, you should only allow these
kind of sources from the domains you trust. You can research this on the Internet for more
information.
The settings require a domain to be entered.
- Domain
The value entered into this field will be used to validate the domain from which the source comes. What is referred to as domain is the host part of the source’s URL. The host part can basically be defined as the part of the URL that is between
(http(s):)//
part and the first forward slash (/
) coming after this part. Examples are given in Table 6.15. URL Host https://www.youtube.com/embed/videoId www.youtube.com //www.instagram.com/embed.js www.instagram.com https://platform.twitter.com/widgets.js platform.twitter.com https://player.vimeo.com/video/videoId player.vimeo.com //assets.pinterest.com/js/pinit.js assets.pinterest.com Now that we know what the host part of a URL is, let’s look at how to allow them. You can allow a domain by entering its host part directly. Also, you can use wildcard character
*
to match unknown parts of the host part. Examples are given in the following table. Value of this setting Allowed Host www.youtube.com Yes www.youtube.com No youtube.com No studio.youtube.com www.instagram.com Yes www.instagram.com No instagram.com *.twitter.com Yes platform.twitter.com Yes www.twitter.com No twitter.com *twitter.com Yes twitter.com Yes somethingtwitter.com Yes platform.twitter.com *twitter.* Yes twitter.com Yes twitter.net Yes somethingtwitter.org As it is shown in Table 6.16, you can directly enter a host as the value of this input. You can also use
*
character to match anything that you do not know. You can see that using*twitter.com
matches all subdomains. However, it matches any domain that ends withtwitter.com
. Therefore, if you want to allow a domain and all of its subdomains, it is recommended that you enter two values as*.twitter.com
andtwitter.com
. These allow all sources coming from twitter.com and all of its subdomains.The following table shows a few examples to allow all domains and their subdomains for certain web sites.
Host Value of domain
allowing all domains and subdomainsyoutube.com *.youtube.comyoutube.comtwitter.com *.twitter.comtwitter.cominstagram.com *.instagram.cominstagram.com
Important
If a source URL’s host part does not match any of the defined domain
values, then the plugin
will not parse the short codes. For example, if an iframe
’s source is not allowed, then
the short code that is supposed to show the iframe
will not show anything.
6.2.2.1. Allowed domains for iframe short code
When Convert iframe elements to short code setting is enabled, the plugin automatically
converts iframe
elements in the post content into a short code so that WordPress displays the
iframe
elements. This setting defines the allowed domains of the source URLs of iframe
elements.
6.2.2.2. Allowed domains for script short code
When Convert script elements to short code setting is enabled, the plugin automatically
converts script
elements in the post content into a short code so that WordPress displays the
script
elements. This setting defines the allowed domains of the source URLs of script
elements.