Security Considerations – o5docs.instawp.xyz

Granting “Edit Content” Access to Oxygen

Do not grant “Edit Content” access to untrusted users, as a skilled user could escalate their privileges to a site admin.

“Edit Content” access is only designed to simplify the Oxygen user interface. It will not prevent a skilled user with “Edit Content” from going into the browser dev tools, enabling the rest of the user interface options, and then using those features to escalate their privileges – for example, by saving a page with a Code Block element that contains PHP code that would escalate their privileges.

Using Oxygen on Multi-Site

Using Oxygen on WordPress Multi-Site is possible. Anyone with access to Oxygen will have access to the Code Block element, which will allow them to execute arbitrary PHP code. Do not grant Oxygen access to untrusted users.

Enabling Oxygen > Advanced > Allow SVG Uploads In The WP Media Library

This option is not enabled by default, because SVGs can contain malicious code. If you don’t trust the provider of the SVG, don’t upload the SVG, or better, use a plugin like https://wordpress.org/plugins/safe-svg/ that can handle the sanitization of SVGs for you.

Enabling Oxygen > Advanced > Apply the_content Filter

This option is not enabled by default and should not be enabled unless you have a need for it. Before enabling this option, you should understand the potential security implications. By default, Oxygen does not apply the_content filter to Oxygen-designed content. Enabling this option will make Oxygen run apply_filters(‘the_content’, …) on singular content created with Oxygen.

When apply_filters(‘the_content’, …) is run, shortcodes are executed. If your website displays dynamic data which is provided by users and is not sanitized for shortcodes, a user could execute shortcodes. For example, if you allowed users to submit data through a form and then rendered the data inside Oxygen, and then user entered shortcodes into the form, if you enable this option, those shortcodes would be executed.

This attack is not specific to Oxygen. For more details, visit https://www.pritect.net/blog/wordpress-shortcode-injection-attack-vector.

Enabling CSRF Protection On Forms

There is no reason to enable CSRF protection on forms that any visitor should be able to submit without authentication. Anyone can already submit the form.

The is only a reason to enable CSRF protection on forms that should only be submitted by an authenticated user. An example of this would be a form located in a user dashboard gated behind a login. Without CSRF protection, a user with access to the form behind the login screen could be tricked into making a request that would submit the form.

CSRF protection relies on nonces. Some hosts and server configurations may cache these nonces, which would prevent the form from being submitted.

Enabling Oxygen > Settings > Advanced > Allow unfiltered HTML in all dynamic data output

By default, Oxygen applies wp_kses_post to fields on posts with an author that lacks the unfiltered_html capacity. By running all HTML content through this WordPress function (reference), Oxygen ensures that the HTML it renders is not vulnerable to Cross Site Scripting or XSS (reference).