Need help? Check out our Support site, then


Custom Shortcodes for JavaScript?

  1. Is it possible to create a custom shortcode to be used on a WordPress.com blog? I want to implement a HubSpot tracking code on my WordPress.com blog and realize javascript is not allowable within the blog itself, but I am wondering if I can implement it securely using a custom shortcode. I realize this is possible for self-hosted WordPress but am wondering if it's possible for WordPress.com.

    The blog I need help with is blog.surveyanalytics.com.

  2. I think that what you want to do is write your own shortcode and use it here at wp.com. If so, the answer will be no. I say this with 99+% confidence, since I cannot imagine a means of doing this without a huge risk to the integrity of the site and every blog on it. I have no qualms about your intentions, but there are some ill-intentioned people out there (and in here, probably).

  3. WordPress.org installs are free standing. Use JavaScript on them and the only security risk is to a single blog. Not so here ate WordPress.com as this is a shared blogging platform.

    Let me explain (for those who don’t already know) why WordPress.com can’t allow JavaScript on free hosted blogs on this wpMU multi-user blogging platform.

    Blogs are served from {name}.wordpress.com. The WordPress cookie is delivered to any site that ends in wordpress.com. Any JavaScript on the page is legitimately allowed to look up cookies that would be sent to the domain it’s served from.

    This means that if you can run JavaScript on a hosted WordPress page, you can retrieve the login cookie from another WordPress user, and then pass it to an external site. (Generally by creating an image reference that includes the encoded login cookie.)

    This is just a basic part of the underlying technology of the web browser, and it’s required for sites like gmail, Yahoo!, and others to operate.

    There are ways a site can avoid this problem (generally by constantly changing the login cookie data with EVERY response, and invalidating the old ones immediately), but they require more horsepower on the backend than the blogging sites are really able to provide, and there’s still usually a small window of opportunity.

    This is why Livejournal, WordPress, and most other hosted sites disallow Javascript on their pages.

Topic Closed

This topic has been closed to new replies.

About this Topic