WordPress Plugin Added for Embedding SWFs

We struggle constantly to maintain the balance between usable and secure web technology. We need to make it easy for people to use these tools to show off the neat content they’ve developed, but all too often doing so outright would open up a hole for someone to show off the really neat malware they’ve developed. This was the case with the request this week to allow the embedding of SWF files (Adobe Flash scripts) in blog posts for use in a Reunion blog.

By default, WordPress MU strips out all object and embed tags, which are used to include SWF files. This is really good, since those tags can be used to include all sorts of other content as well, like arbitrary JavaScript execution through an iframe. Since the same filter is used to check posts, pages and comments, this can really get out of hand fast if you just remove the filter completely or allow those tags through the filter.

We talked it over and came up with two possible suggestions:

1. Write a custom template for this blog’s theme that would allow the SWF files to be included by adding their URLs to post meta data tags.

2. Write a custom plugin that creates the embed code based on a string in the post that is parsed through a callback function. This is what we’re already doing for MiddMedia, for example.

I chose the latter, which was Adam Franco’s suggestion. This offers us the ability to re-use this functionality if we want to allow it on other blogs in the future without having to add the code to the themes those blogs use. All of our WordPress users can now enable the “SWF Includer” plugin. However, to prevent just anyone on campus from including whatever embed code they like, this plugin is locked down to allow only SWFs from trusted URLs. Presently, the only allowed URL is that of our Communications department’s web directory. We can add to the list as other legitimate uses present themselves.

The syntax for the SWF Includer is as follows:
[swfincluder URL_OF_SWF WIDTH HEIGHT]

Leave a Reply

Your email address will not be published. Required fields are marked *