Ian Dunn

It may not technically be _valid_, but I wouldn't say it's _invalid_ either. Douglas Crockford (creator of JSON) [has said](https://web.archive.org/web/20100629021329/http://blog.getify.com/2010/06/json-comments/): > A JSON encoder MUST NOT output comments. A JSON...

Here's an example of a safelist approach, for future reference: https://github.com/iandunn/regolith/blob/824b999c11fae10c4777b8f517df63c6e6fd0a0d/bin/sync-production-content.sh#L91-L164 It works on a SQL dump rather than WRX, but has safelists of various data that might be useful.

🤔 I actually don't remember the reason, I think it may just have been to keep things a bit more organized. @coreymckrill , @ryelle , do you remember? Possibly related:...

This has been rebased now that #75 has merged.

> On the `/reference` page, I find it a bit distracting Yeah, I can see that. I think it could be designed to look more like a _secondary_ thing than...

🤔 It seems reasonable to me to assume that local envs have the same constants available that production does. I feel like adding safety checks for every instance of this...

Safe SVG is by far the most secure plugin that I'm aware of; the others I've seen didn't use any sanitization at all. I haven't checked in a few years,...

> more details about the original attempt from Cure53 at PHP sanitization? Section `4` of [Crouching Tiger – Hidden Payload](https://www.nds.ruhr-uni-bochum.de/media/hgi/veroeffentlichungen/2011/10/19/svgSecurity-ccs11.pdf) and https://security.stackexchange.com/a/30390/8467 have some details on the PHP approach and...

Yeah, I think this would be acceptable: * only ever enqueued from the CDN domain - this is the most important thing IMO * sanitized by Safe SVG * user...

Ah, yeah, redirecting (or just blocking) access to `wordpress.org/.../*.svg` at the network layer would be great 👍🏻