Allow Embedded Files!

  • Author
  • #27768


    I find your “I do not really want to leave wordpress …” statement puzzling. Haven’t you read the pink sticky at the head of the forum? You can hack your theme from here to eternity and go crazy with embeds by self-hosting or becoming webhosted.
    Please read this thread
    If you’re not happy here at then please feel free to go to You can check out the minimum requirements for self hosting and go for that if you prefer

    Here’s a symantec research thread on the security issues but I’m sure you know how to use search engines and find even more information and specifically limit the searches to your exact needs Link

    [Link fixed – drmike]



    Podz quotes Symantec (as does timethief later):

    “In particular, services that allow people to author and post content under the service domain must always neuter any active content such as Javascript.”

    That’s absolutely hilarious. I’ve always considered Norton AntiVirus to BE a virus, and if you’ve ever tried COMPLETELY removing their software folders, registry entries etc, I’m sure you’d agree.

    The last time I tried upgrading, their site took my money, installed the software, and left me unable to register it. 40 bucks wasted. Their “support” people couldn’t figure out why (most likely an IE blocked activeX or javascript), and promised to send a cd with the software per a supervisors instruction.

    It never came.

    I went to AVG, and IT installed perfectly

    So… Why should I trust Symantec’s advice?

    Their software was essentially un-installable, their “support” couldn’t support their most current software on a 3 month old compaq computer running windows, and I was LIED to.

    How it relates to
    Right now, I can’t even get a YouTube playlist to work on my blog with a [youtube= tag, which means I would have to use the individual file links for each and every youtube embed from the playlist.

    My postings need 2 embedded players on page like I need a hole in my head.

    I’m sorely disappointed at the lack of versatility @, and it seems to be due to irrational paranoia propagated by companies (like Symantec).



    I agree about Norton – it’s the first thing I remove from anyone’s machine. It’s nasty code.

    But it’s not what Symantec said. It’s what others have experienced. JS exploits damaged Myspace and LJ. That is not irrational. It happened.

    It’s not lack of versatility – it’s putting security before features.



    OMG ^^ I do believe you just made a blog post in the ideas forum. And it’s double trouble anti-security rant against the big guys – symantec and – putting them in the same corner yet!? OMG perhaps he/she has been imbibing or ingesting off world substances? [she speculated]

    Granted it’s an unusual trajectory type of approach but who knows it may bring you the attention you seem to be targeting. However, IMO the weakness that comes with taking this tack is that it probably won’t further your case, that is, unless digging a hole and burying your bone is the direction you’re intending.

    Just another out of order opinion from a very part-time stand down comedian [she snickered]. *lol*

    @drmike, podz and wank … I couldn’t help it … OH NO! here comes podz with the hook …



    OMG ^^ I do believe you just made a blog post in the ideas forum. And it’s double trouble security rant against symantec and Have you been imbibing or ingesting off world substances? [she chuckeled] Granted it’s an unusual trajectory type approach but who knows it may bring you the attention you seem to be targeting. Hoever, IMO the weakness that comes with taking this tack is that it probably won’t further your case unless digging a hole and burying your bone is the direction you’re intending. Just an opinion from a very part-time stand down comedian. *lol*

    Not a blog post, just stating the reason for my belief that we are blindly following sources that provoke panic when a FEW of the …it must be billions by now… computers in the world have a problem.

    I don’t know what the security issues are for allowing javascripts on the server side from a technical standpoint, but I DO know that every javascript exploit I’ve ever seen as a computer user, including the type that show up as email attachments, have had a security fix loooong before it became a major issue. Like “Infected” java .jar files that will never be activated due to security patches installed or available YEARS before the AV software quarantines the file

    … and IF IT IS such a grave hazard to the server side, then why would Yahoo! or any other host allow the scripts on THEIR servers?

    Why should the hosting servers at wordpress be more at risk than they?

    …and I wasn’t ‘ranting’ on, I was just stating my disappointment.



    Why is that people come down like a ton of bricks and are so mocking when users voice their, issues with some of the limitations of WordPress? I don’t think it’s fair that people have to defend themselves because they have what is, to me a genuine opinion, sorry, gripe. I understand the feeling of really loving wordpress but feeling that a move is necessary because of certain limitations that come with using it. I feel somewhat like that myself – in my case because I want to be able to do more indepth stats than offers and because of this javascript issue/reason/whatever I can’t do it. It’s not a good feeling at all. I don’t want to leave WordPress. At all. But neither do I want to have half the picture with my blogging – which is what I feel I have now. And that is NOT to imply that WordPress doesn’t crank out things new things all the time to improve itself.

    WordPress is a wonderful blogging tool, it’s simple easy to use and it is well run and it isn’t just the tool (anyone can copy a tool), it’s everything about it that has created a such a loyal following of users. Which is not to say it doesn’t have limitations. But it is really frustrating to want to do something (pretty basic in my opinion, and that I should be able to do) only to be told that there’s one of a number of reasons why I can’t. As there is no charge for WP, I’m not a “customer” but whether a user or a customer, I don’t care about the reasons, only that I’m unable to do what I’d like to do on my blog. On the subject of stats I bet WP can track every user to the nth degree.

    Granted not everyone is interested in adding embeds or other things to their blogs, or doing more than ooh and aah over their page views, content with incomplete stats, but others do and will want to do more. I could care less about having a new theme every minute (all singing all dancing to boot), to others it is important to have hundreds. As my blogging evolves maybe one day I’ll want to embed files, and then of course I’ll have a problem, because I won’t be able to do it. So, even though I do not want to move to .org, for flexibilty I might have to. It is a serious condsideration, which to me, is a pity.

    By all means be defensive of WordPress but lighten up having a go at folks and “inputing to them things (anti-security anti-wordpress? where?) they really are not guilty of.



    FOUR days ago when I wrote this lighthearted and joking response to leighm I was chuckling and laughing. If I’d been any lighter when I wrote my tongue in cheek anti-wordpress and anti-security response FOUR days ago I would have been air-borne.



    britgirl, I think you’ve got it. I choose to delegate to WordPress the choice of what’s safe and what’s not in my blog, but there are those who are capable of making those choices on their own and for them is and self-hosted blogs.

    If anyone found my post judgemental, I sincerely apologize. Believe me, I have zero problem being judgemental, but it was not my intention in this particular thread.

    OT: Thank you, WordPress, for fixing the damn REPLY box so I can actually see what happens over to the right-hand side!



    Hey, it is fixed. :)

    I just wish there was some method for *cough* certain blogs to have this protection removed.

    Just so they can see why the protection is there.

    We’ve already had a couple of threads where the posters were wondering why they were seeing all the broekn javasvripts in the comments.



    It’s not fixed now. Dayum!



    Actually I stand corrected. The right side of the post box has gone missing yet again. :(



    Well,I am just curious because the article shown says that Myspace had problems with a flash file.In order to modify such a thing(the flash file) it would have had to be hosted at Myspace.Hosting the file and embedding it are two very different things.Embedding is much like linking in that the file is not actually hosted where the embed code it.It is on a different server.

    So while, I can see that it would be unwise to host these files, I cannot see how embedding them would be the same or a danger.




    Embeding in not just like linking to a file. It puts it into the browser.

    IE has has security concerns with the embed tag in the past as well.



    Yes, but the original source file it still on another server and that is what was modified(given the virus).

    I was stating what was fairly obvious that the article you held up as your reason why does not allow embeding is not even about embedded files.It was about hosted files.

    It is like saying”My friend dies yesterday from a bad plum, so from here on out, I am not going to eat any Apples.”

    When you present that kind of logic to people it is no small wonder that they leave.Like it or not every person who posts in here is a potential future customer.

    Anyway, I am done talking with the doorknob.




    So glad I took the time to try and help you.



    Yes, he’s a charmer, ain’t he?



    >>If you’re really that insistent on leaving then can I suggest that >>you get some hosting and download the WP software? You get the best >>of all worlds then. WordPress, embedding whatever you like, complete >>control over the themes and you don’t have to use blogger or >>MySpace!

    for my case, I like to have a local copy for my blog in my machine.
    But Im NOT able to import the exported xml of my live blog into my local blog.




    There’s a comment on Scobleizer that I thought explained it well. It reads:

    Blogs are served from {name} The WordPress cookie is delivered to any site that ends in Any Javascript on the page is legitimately allowed to look up cookies that would be sent to the domain it’s served from.

    This means that if you can run Javascript on a hosted WordPress page, you can retrieve the login cookie from another WordPress user, and then pass it to an external site. (Generally by creating an image reference that includes the encoded login cookie.)

    This is just a basic part of the underlying technology of the web browser, and it’s required for sites like gmail, Yahoo!, and others to operate.

    There are ways a site can avoid this problem (generally by constantly changing the login cookie data with EVERY response, and invalidating the old ones immediately), but they require more horsepower on the backend than the blogging sites are really able to provide, and there’s still usually a small window of opportunity.

    This is why Livejournal, WordPress, and most other hosted sites disallow Javascript on their pages.



    Sorry, I get a little nasty when people are not explaining something to me and just giving me a standard answer or as the case may be, a answer that does not make sense. The comment that was on Scobe’s blog did explain it much better than anything I saw here.

    Lesson to be learned from this…Don’t answer questions if you don’t really know the real answer.


The topic ‘Allow Embedded Files!’ is closed to new replies.