Feature Request: libxml2 / DOMDocument
-
Dear WordPress,
As the premier blogging CMS, I believe that your development should focus on changing the model of how content is produced with WordPress to promote a safer web.
I would like a development branch of WordPress that uses the Document Object Model facilities of libxml2 for the creation of content.
There would be some immediate benefits to the platform outside of the potential security benefits. Plugins that need to add content to the head node would no longer have to have scripts that “look ahead” to see if they are used early on in the content generation, your wp_enqueue_scripts action could add scripts and style sheets to the head at any point in the generation of the content.
Plugins that do things like expand shortened URLs could run after the document is fully generated but before being sent. Plugins that add a target attribute to any hyperlinks not in a whitelisted domain would be cake, no regex necessary.
But in addition to the many benefits plugin developers would have, there are also some security policies you could easily enforce with such a model. For example, after the DOM has been constructed, you could easily remove any script nodes that are not in the document head and remove any event handler attributes (like onclick etc.). This simple step would make it very difficult for anyone to inject malicious content into a page.
You could go even one step further and send a Content Security Policy header so that browsers will know not to execute any scripts that are not in the document head.
I understand there will be some plugin developer resistance to this kind of radical change to the platform, but as a developer myself who fell in love with the raw power of the Document Object Model when I was first forced to use it, I believe many developers will see the light and readily embrace it.
By doing these changes in a separate development branch, it would give developers a chance to play with it and decide if they like it before WordPress as a whole moved to this model, and it would give time to port existing plugins to use the Document Object Model.
Using DOMDocument would add a dependency on libxml2 to the php engine required to run a WordPress site. Every linux distribution I am aware of that packages php already ships with libxml2 and has the necessary php module in their package repository.
Thank you for your time,
Alice Wonder
- The topic ‘Feature Request: libxml2 / DOMDocument’ is closed to new replies.