将bookmarklet添加到wordpress帖子
[英]Adding bookmarklet to wordpress post
问题描述
I'm trying to add a javascript bookmarklet link to a post on my WordPress site. 
我正在尝试将javascript bookmarklet链接添加到我的WordPress网站上的帖子。 However it isn't coming out in the post preview. 但是它没有出现在帖子预览中。 When I check the link that WordPress adds to the post it has converted it to javascript:void(0) . 当我检查WordPress添加到帖子的链接时,它已将其转换为javascript:void(0) 。 This simple example reproduces the problem. 这个简单的例子再现了这个问题。
<a href="javascript:alert('Alert!');">Search Scholar</a>
There are a few other people who've had the same problem here , here , here , and here but no-one seems to have found a solution beyond just giving their bookmarklet code for people to copy and paste and create their own bookmarklet. 还有一些其他人在这里 , 这里 , 这里和这里遇到了同样的问题但是没有人似乎已经找到了一个解决方案,除了给人们的书签代码供人们复制和粘贴并创建他们自己的书签。
The cause of this problem is that Chrome's XSS protection is stripping out the javascript from the link when submitting it via wp-admin. 导致此问题的原因是Chrome的XSS保护功能在通过wp-admin提交时从链接中删除了javascript。 One "solution" is to add the line header("X-XSS-Protection: 0"); 一个“解决方案”是添加行header("X-XSS-Protection: 0"); to wp-blog-header.php in the root folder. 到根文件夹中的wp-blog-header.php。 This is insecure as it switches off the XSS protection on your WordPress site but it does allow the bookmarklet code to be rendered when the page loads. 这是不安全的,因为它关闭了WordPress站点上的XSS保护,但它确实允许在页面加载时呈现bookmarklet代码。
Are there any real solutions to this problem that don't involve switching off XSS protection? 是否有任何真正的解决方案可以解决此问题,而不涉及关闭XSS保护? Is there a perhaps a plugin I can install to my WordPress to allow me to add javascript: links inside my posts? 是否有一个插件,我可以安装到我的WordPress,允许我在我的帖子中添加javascript:链接?
2 个解决方案
解决方案1
5 已采纳 2013-11-12 05:09:19
EDIT 2 After even more research, this is actually caused by the browser's XSS detection as mentioned by the OP (as opposed to any WordPress-specific functionality). 编辑2经过更多的研究,这实际上是由OP提到的浏览器的XSS检测引起的(与任何特定于WordPress的功能相反)。 The problem only arises when you click the Preview button in WordPress, and only on that initial page load. 只有在WordPress中单击“ Preview按钮时才会出现此问题,并且仅在该初始页面加载时出现。 Apparently WordPress sends along some of the HTML in the request headers, and that triggers the XSS functionality in the browser. 显然,WordPress会在请求标头中发送一些HTML,并在浏览器中触发XSS功能。 If you load the preview, and then you refresh the page, the XSS issue goes away, and the javascript: link is displayed as it was saved. 如果您加载预览,然后刷新页面,XSS问题就会消失,并且javascript:链接会在保存时显示。 When viewing the actual site, after publishing the page, this XSS issue is never encountered present. 在查看实际站点时,在发布页面后,永远不会遇到此XSS问题。
EDIT After some deeper research (working with @gnarf ), it turns out the actual issue comes down to the way that WordPress handles javascript: links in its preview functionality. 编辑经过一些更深入的研究(与@gnarf合作 ),事实证明,实际问题归结为WordPress处理javascript:预览功能中的链接的方式。 It would seem that WordPress has some custom Javascript that runs and converts all javascript: links to javascript:void(0) links (stripping out any custom code), but only if you're previewing the page. 似乎WordPress有一些自定义Javascript运行并转换所有javascript:链接到javascript:void(0)链接(删除任何自定义代码),但只有在您预览页面时。 After publishing the page, the javascript: links are rendered out properly. 发布页面后, javascript:链接将正确呈现。
Original Post (describes how to stop WordPress from stripping out javascript: links when saving a post as a non-admin user, which is what I assumed the original problem might have been) 原帖 (描述如何阻止WordPress剥离javascript:将帖子保存为非管理员用户时的链接,这是我认为原来的问题可能已经存在)
It looks like WordPress strips out the HTML in the content_save_pre filter. 看起来WordPress剥离了content_save_pre过滤器中的HTML。 Specifically, it calls the wp_kses_bad_protocol method in wp-includes\\kses.php : 具体来说,它调用wp-includes\\kses.php的wp_kses_bad_protocol方法:
/**
* Sanitize string from bad protocols.
*
* This function removes all non-allowed protocols from the beginning of
* $string. It ignores whitespace and the case of the letters, and it does
* understand HTML entities. It does its work in a while loop, so it won't be
* fooled by a string like "javascript:javascript:alert(57)".
*
* @since 1.0.0
*
* @param string $string Content to filter bad protocols from
* @param array $allowed_protocols Allowed protocols to keep
* @return string Filtered content
*/
function wp_kses_bad_protocol($string, $allowed_protocols) {
$string = wp_kses_no_null($string);
$iterations = 0;
do {
$original_string = $string;
$string = wp_kses_bad_protocol_once($string, $allowed_protocols);
} while ( $original_string != $string && ++$iterations < 6 );
if ( $original_string != $string )
return '';
return $string;
}
The $allowed_protocols parameter is retrieved via the wp_allowed_protocols() method, which applies the kses_allowed_protocols filter to the list of protocols. $allowed_protocols参数通过wp_allowed_protocols()方法检索,该方法将kses_allowed_protocols过滤器应用于协议列表。
With this information, you should be able to tie into the kses_allowed_protocols filter to add javascript as a valid one (note that this, of course, would open up security issues): 有了这些信息,您应该能够绑定到kses_allowed_protocols过滤器以将javascript添加为有效的(请注意,这当然会打开安全问题):
add_filter( 'kses_allowed_protocols', function ($protocols) {
$protocols[] = 'javascript';
return $protocols;
});
One way to enhance the security of this approach would be to add a check for specific users or specific roles (by default, it looks like this filter actually isn't run on administrative accounts, so you can use javascript: links to your heart's content as an admin) prior to allowing the javascript protocol. 增强此方法安全性的一种方法是为特定用户或特定角色添加检查(默认情况下,看起来此过滤器实际上不在管理帐户上运行,因此您可以使用javascript:指向您心脏内容的链接作为管理员)在允许javascript协议之前。
解决方案2
3
The initial problem is of course due to this: 最初的问题当然是由于:
JavaScript cannot be added to post content without a special WordPress Plugin that removes the filters that prevent unwanted code within the post content area for the protection of the user.
To avoid installing a plugin you can use the recommended method: 要避免安装插件,可以使用推荐的方法:
The safe and recommended method of adding JavaScript to a WordPress generated page and WordPress Theme or Plugin is by using
wp_enqueue_script().wp_enqueue_script()。 This function includes the script if it hasn't already been included, and safely handles dependencies.
Here are all the details for wp_enqueue_script() : 以下是wp_enqueue_script()所有细节:
http://codex.wordpress.org/Function_Reference/wp_enqueue_script http://codex.wordpress.org/Function_Reference/wp_enqueue_script
You then need to create a custom JavaScript file which you include and register with the functions you need for your posts. 然后,您需要创建一个包含的自定义JavaScript文件,并注册帖子所需的功能。
You can in that file make a function which for example takes your bookmarklet link as an argument and do a document.write (or attaches a node to as child to a known element) to the current location. 您可以在该文件中创建一个函数,例如将您的bookmarklet链接作为参数,并将document.write (或将节点作为子节点附加到已知元素)到当前位置。
Then include the script and call the function in the post as: 然后包含脚本并在帖子中调用函数:
<script type="text/javascript" src="/scripts/myscript.js"></script>
<script type="text/javascript">
<!--
bookmarklet(myLink);
//--></script>
you only need to link the script ones in the same post - if you use this script in every post it's probably better to link it in the header ( header.php template file, between the meta tags and the style sheet link). 您只需要在同一篇文章中链接脚本 - 如果您在每个帖子中使用此脚本,最好将其链接到标题( header.php模板文件,元标记和样式表链接之间)。
<script type="text/javascript" src="/scripts/myscript.js"></script>
or alternatively if the above doesn't work: 或者如果以上情况不起作用:
<script type="text/javascript" src="<?php bloginfo('template_url'); ?>/pathto/myscript.js"></script>
Also note that if the src attribute is stripped away you need to go to Users and Personal Options in dashboard to turn off the rich editor. 另请注意,如果src属性被剥离,则需要转到仪表板中的“用户和个人选项”以关闭富编辑器。
Source and more information on how to use JavaScript in WordPress globally and in posts: 有关如何在全球和帖子中使用WordPress中的JavaScript的来源和更多信息:
http://codex.wordpress.org/Using_Javascript#Javascript_in_Posts http://codex.wordpress.org/Using_Javascript#Javascript_in_Posts
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.