SVG Security on WordPress vs. without cms - wordpress

I understand that it is a risk to use SVG and Wordpress disable the use of them. But many website nowadays use SVG because of the performance and resolution. So are all these websites having a huge risk to get hacked?
If I would code the website in plain html, css, php, mysql without a cms, would my website be highly risked to get hacked too?

SVGs are effectively (XML) text that are interpreted and rendered by the browser. The SVG "text" can include scripts (for valid or malicious reasons). SVG has a lot of benefits. I use animated SVG headers that I created myself on my Wordpress sites; file are small and do not rely on JavaScript for animation.
I assume you are ONLY talking about having your OWN SVG images for the header, or in your own posts (and won't be including malicious scripts to attack you or your visitors!). If so, in my fallible opinion, there should be near Zero (can never say never) risk as long as you cater for these possibilities:
you use an SVG file created by someone else that contains malicious code. So create your own, or obtain them from one of the major image sites and check the SVG source text carefully before use.
a visitor/user uploads (innocently or otherwise) a poisoned SVG. Even if it is not displayed on your site the simple act of you viewing (say via Cpanel) the uploaded file in a browser could trigger the malicious payload. So block anyone else from uploading SVGs. Ideally upload your own via FTP and block all uploads via your site's pages.
see also https://wordpress.stackexchange.com/a/247190/128374

Related

Dangers of allowing custom CSS

I'm creating a website that allows users to create their own subchannels. Sorts of like subreddits (if you're familiar with reddit).
And I want to make it so that subchannel administrators are allowed to upload their own CSS files (with a max filesize) that would override the default styles for their subchannels. (Users would also be able to opt out of custom styles.)
I've only heard of a few websites doing this so it's kind of hard to get info on the risks involved. Would there be any potential security risks?
I would be doing this with Laravel, for reference.
Javascript can be executed in CSS, you have to make sure that you are using some filtering.
I have also seen incidents where someone has covered the entire page on a microsoft controlled site with a transparent pixel, linking to a malicious site. Clicking anywhere triggered the attackers site to appear.
This could however be safe if the user only sees his or her own CSS, and they would have no way of someone else viewing what they have done. Otherwise some sort of whitelist or markdown would work.
There is also the potential that the user CSS could break your site, for example making the navigation menu 0x0 pixels or moving it offscreen to -1000, -1000. Or the CSS itself could reference images from other sites, which you can't guarantee will continue to stay up.

Best way to let browsers refresh from cache on a live website?

It's about making changes in design (css-files and images) on a website which is already online and in use. I wonder what is the best-practice to make sure that visitors see the changes without clearing there browser's cache manually. Things that came in my mind:
change meta-tag - dismissed because I do not want the site to be ALWAYS loaded from the server
include the css-file with a parameter (like timestamp) after made a change
change the names of included images so that they are reloaded - means also change names in the files where images are included
?
What else could achieve the loading from server? Did I forget some advantages/disadvantages?
Possible duplicate of this post: How to control web page caching, across all browsers?
My favoured solution is to set a random number after you call the file e.g.
css/styles.ccs?628454548
images/sprite.gif?8356484894
You could use javascript/php or whatever to set those random numbers every time the page is called to the browser.

How can I change the output of a webpage depending on wether a user can access Youtube?

I'm looking at embedding youtube videos onto a webpage (a Drupal webpage if that helps), but I need to figure out what people will see if their business/workplace/country blocks youtube access.
Does it show 'video no longer available', does it not show anything?, does it add a class or ID to the embedded html to let css, or a scripting language know that there is an error.
I would like to be able to swap the embedded code out for a gif or something else. So users that can't access youtube will not be left with what ever youtube decides to show them.
Any tips would be great.
I tried editing the hosts file to test myself but it wouldn't take for some reason.
Cheers.
EDIT: * first-question *
This can be achieved using javascript.
In your script call a resource that is located on youtube. Since it's javascript running in the client browser, the request will comes from it and not your website.
If the request fail, the client has no access to youtube.
Did I mention that relying on external resources you can't control is bad ?

How to attach a site with its thumbnail to a Drupal node?

Do you have any Drupal module (or other solution) to implement a feature similiar to Facebook's Share a Link?
To be precise:
you paste a link
site's preview is generated
title
short excerpt
and a thumbnail of one of the site's images
You'll need to do some pretty fancy stuff when snagging that thumbnail.
That's parsing the page and picking out thumbnails that might want to get used from the tags on the page.
It will need to do this via javascript after the link has been placed.
Facebook actually caches their thumbnails for page sharing once a day, so they choose not to go grab it at run time for the client every time.
There are certainly libraries (and maybe a jQuery plugin that would let you slurp a URL into memory then traverse it and present some one the fly images.
Check out the Tumblr Share tool. You might be able to reverse engineer from that.
As for Drupal modules this seems unlikely. Would love to hear it though.
You could also think about a third party screen shot service, but that's a pain too.

is a negative text-indent considered cloaking?

I am using the negative-text-indent technique I learned to show a text-image to the user, while hiding the corresponding actual text.
This way the user sees the fancy styled text while search engines can still index it.
However I am started to think this sounds like cloaking since I am serving different content to the user vs the spider. However, I am not using this in a deceitful way. Plus it seems like this is a popular technique.
So is it SEO-safe or is it cloaking?
Thanks!
No, this is not cloaking. From what I can tell, you are not actually serving different content, based on whether (you think) the client is a crawler. The content you are serving is just interpreted differently by browsers than by a spider. If you are actually serving different content, why are you doing this?
I'd even go as far as say that it is good accessibility practice. Screen readers will still pick up on the hidden text, text browsers will show it normally, etcetera.
No, this is not cloaking. I think the key phrase in Google's definition is:
If the file that Googlebot sees is not identical to the file that a typical user sees, then you're in a high-risk category.
You're not serving a different file - the content of the file served to GoogleBot is exactly the same as the content of the file served to users.
Thomas is right - this is not cloaking. CResult's quoted text implies that Cloaking is serving a different files for crawlers and users. Meaning, for the context of crawling, Content = File. Thus, if you serve the exact same file, you are not Cloaking anything.
It doesn't matter if you serve off-screen text.
It doesn't matter how the content is presented to the user. It doesn't matter what is inside the file.
At least one blog interprets one of google's help pages as proof that google would not approve of negative indents.
Also, this post which supposedly has a quote from a google employee on the topic.
This is NOT cloaking. I use image replacement techniques all the time. It makes sense in the fact it's more accessible. If the text reads what an image says then that's fine. It is functional to the image. If however, you're cloaking a description of the image that is not otherwise on the image anyway, I'd be concerned about that. It's fine to replace things that read the same. I do use ALT text, but sometimes I'd rather have the image as a background on text and indent it off screen. It meets the same requirements.

Resources