7.2.3. Short Codes Section¶
can be harmful to your site, leaving some security holes. Therefore, you should only allow these
kind of sources from the domains you trust. You can research this on the Internet for more
The settings require a domain to be entered.
The value entered into this field will be used to validate the domain from which the source comes. What is referred to as domain is the host part of the source’s URL. The host part can basically be defined as the part of the URL that is between
(http(s):)//part and the first forward slash (
/) coming after this part. Examples are given in Table 7.15.
¶ URL Host https://www.youtube.com/embed/videoId www.youtube.com //www.instagram.com/embed.js www.instagram.com https://platform.twitter.com/widgets.js platform.twitter.com https://player.vimeo.com/video/videoId player.vimeo.com //assets.pinterest.com/js/pinit.js assets.pinterest.com
Now that we know what the host part of a URL is, let’s look at how to allow them. You can allow a domain by entering its host part directly. Also, you can use wildcard character
*to match unknown parts of the host part. Examples are given in the following table.
¶ Value of this setting Allowed Host www.youtube.com Yes www.youtube.com No youtube.com No studio.youtube.com www.instagram.com Yes www.instagram.com No instagram.com *.twitter.com Yes platform.twitter.com Yes www.twitter.com No twitter.com *twitter.com Yes twitter.com Yes somethingtwitter.com Yes platform.twitter.com *twitter.* Yes twitter.com Yes twitter.net Yes somethingtwitter.org
As it is shown in Table 7.16, you can directly enter a host as the value of this input. You can also use
*character to match anything that you do not know. You can see that using
*twitter.commatches all subdomains. However, it matches any domain that ends with
twitter.com. Therefore, if you want to allow a domain and all of its subdomains, it is recommended that you enter two values as
twitter.com. These allow all sources coming from twitter.com and all of its subdomains.
The following table shows a few examples to allow all domains and their subdomains for certain web sites.
¶ Host Value of
domainallowing all domains and subdomains
youtube.com*.youtube.comyoutube.com twitter.com*.twitter.comtwitter.com instagram.com*.instagram.cominstagram.com
If a source URL’s host part does not match any of the defined
domain values, then the plugin
will not parse the short codes. For example, if an
iframe’s source is not allowed, then
the short code that is supposed to show the
iframe will not show anything.
18.104.22.168. Allowed domains for iframe short code¶
When Convert iframe elements to short code setting is enabled, the plugin automatically
iframe elements in the post content into a short code so that WordPress displays the
iframe elements. This setting defines the allowed domains of the source URLs of
22.214.171.124. Allowed domains for script short code¶
When Convert script elements to short code setting is enabled, the plugin automatically
script elements in the post content into a short code so that WordPress displays the
script elements. This setting defines the allowed domains of the source URLs of