# 6.2.2. Short Codes Section¶

This section contains settings that are used to allow sources, such as JavaScript and iframe, to be shown in your site. These settings exist, because sources such as JavaScript and iframe can be harmful to your site, leaving some security holes. Therefore, you should only allow these kind of sources from the domains you trust. You can research this on the Internet for more information.

The settings require a domain to be entered.

Domain

The value entered into this field will be used to validate the domain from which the source comes. What is referred to as domain is the host part of the source’s URL. The host part can basically be defined as the part of the URL that is between (http(s):)// part and the first forward slash (/) coming after this part. Examples are given in Table 6.15.

Table 6.15 URLs and their host parts
URL Host
//www.instagram.com/embed.js www.instagram.com
https://player.vimeo.com/video/videoId player.vimeo.com
//assets.pinterest.com/js/pinit.js assets.pinterest.com

Now that we know what the host part of a URL is, let’s look at how to allow them. You can allow a domain by entering its host part directly. Also, you can use wildcard character * to match unknown parts of the host part. Examples are given in the following table.

Table 6.16 Examples of domain values matching hosts
Value of this setting Allowed Host
www.instagram.com Yes www.instagram.com
No instagram.com

As it is shown in Table 6.16, you can directly enter a host as the value of this input. You can also use * character to match anything that you do not know. You can see that using *twitter.com matches all subdomains. However, it matches any domain that ends with twitter.com. Therefore, if you want to allow a domain and all of its subdomains, it is recommended that you enter two values as *.twitter.com and twitter.com. These allow all sources coming from twitter.com and all of its subdomains.

The following table shows a few examples to allow all domains and their subdomains for certain web sites.

Table 6.17 Examples of allowing a domain and all of its subdomains
Host Value of domain allowing all domains and subdomains
instagram.com
*.instagram.com
instagram.com

Important

If a source URL’s host part does not match any of the defined domain values, then the plugin will not parse the short codes. For example, if an iframe’s source is not allowed, then the short code that is supposed to show the iframe will not show anything.

## 6.2.2.1. Allowed domains for iframe short code¶

When Convert iframe elements to short code setting is enabled, the plugin automatically converts iframe elements in the post content into a short code so that WordPress displays the iframe elements. This setting defines the allowed domains of the source URLs of iframe elements.

## 6.2.2.2. Allowed domains for script short code¶

When Convert script elements to short code setting is enabled, the plugin automatically converts script elements in the post content into a short code so that WordPress displays the script elements. This setting defines the allowed domains of the source URLs of script elements.