WordPress MU

Save the file below as embed_allower.php inside the wp-content/plugins directory of your WordPress or WordPress MU and activate it. Feel free to customize as necessary.

----------------------------------

<?php
/*
 * Plugin Name: Embed Allower
 * Plugin URI: http://hendyirawan.com/
 * Description: Allows embed, object, and other security risks tags. LGPLv3.
 * Version: 1.0
 * Author: Hendy Irawan
 * Author URI: http://hendyirawan.com/
 * */

// For more info see wp-includes/kses.php
if (!CUSTOM_TAGS) {
	$allowedposttags['embed'] = array(
		'style' => array(),
		'type' => array (),
		'id' => array (),
		'height' => array (),
		'width' => array (),
		'src' => array (),
		'object' => array(
			'height' => array (),
			'width' => array (),
			'param' => array (
				'name' => array (),
				'value' => array ()
			)
		)
	);
	$allowedposttags['object'] = array(
		'height' => array (),
		'width' => array (),
		'param' => array (
			'name' => array (),
			'value' => array ()
		),
		'embed' => array(
			'style' => array(),
			'type' => array (),
			'id' => array (),
			'height' => array (),
			'width' => array (),
			'src' => array ()
		)
	);
}

Wow. Hello bad security practice.

What are the risks then?

How bad can it turn out to be?

I've also noticed that when I post on wordpress.com

and add something like

""
<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/xPbeFSdsTNg&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><embed src="http://www.youtube.com/v/xPbeFSdsTNg&hl=en&fs=1" type="application/x-shockwave-flash" allowfullscreen="true" width="425" height="344"></embed></object>
""

WP automatically updates it to:

""
[youtube=http://www.youtube.com/watch?v=xPbeFSdsTNg&hl=en&fs=1]
""

Any idea what plugin do they use?

Something they wrote themselves probably.

The proposed solution is also available on wpmudev.org/project/Allow-Embedded-Videos

So are there any known issues with the security?

Cheers!