Security Considerations

Granting “Edit Content” Access to Breakdance

Do not grant “Edit Content” access to untrusted users, as a skilled user could escalate their privileges to a site admin.

“Edit Content” access is only designed to simplify the Breakdance user interface. It will not prevent a skilled user with “Edit Content” from going into the browser dev tools, enabling the rest of the user interface options, and then using those features to escalate their privileges – for example, by saving a page with a Code Block element that contains PHP code that would escalate their privileges.


Using Breakdance on Multi-Site

Using Breakdance on WordPress Multi-Site is possible. Anyone with access to Breakdance will have access to the Code Block element, which will allow them to execute arbitrary PHP code. Do not grant Breakdance access to untrusted users.


Enabling Breakdance > Advanced > Allow SVG Uploads In The WP Media Library

This option is not enabled by default, because SVGs can contain malicious code. If you don’t trust the provider of the SVG, don’t upload the SVG, or better, use a plugin like https://wordpress.org/plugins/safe-svg/ that can handle the sanitization of SVGs for you.


Enabling Breakdance > Advanced > Apply the_content Filter

This option is not enabled by default and should not be enabled unless you have a need for it. Before enabling this option, you should understand the potential security implications. By default, Breakdance does not apply the_content filter to Breakdance-designed content. Enabling this option will make Breakdance run apply_filters(‘the_content’, …) on singular content created with Breakdance.

When apply_filters(‘the_content’, …) is run, shortcodes are executed. If your website displays dynamic data which is provided by users and is not sanitized for shortcodes, a user could execute shortcodes. For example, if you allowed users to submit data through a form and then rendered the data inside Breakdance, and then user entered shortcodes into the form, if you enable this option, those shortcodes would be executed.

This attack is not specific to Breakdance. For more details, visit https://www.pritect.net/blog/wordpress-shortcode-injection-attack-vector.


Enabling CSRF Protection On Forms

There is no reason to enable CSRF protection on forms that any visitor should be able to submit without authentication. Anyone can already submit the form.

The is only a reason to enable CSRF protection on forms that should only be submitted by an authenticated user. An example of this would be a form located in a user dashboard gated behind a login. Without CSRF protection, a user with access to the form behind the login screen could be tricked into making a request that would submit the form.

CSRF protection relies on nonces. Some hosts and server configurations may cache these nonces, which would prevent the form from being submitted.


Enabling Breakdance > Settings > Advanced > Allow unfiltered HTML in all dynamic data output

By default, Breakdance applies wp_kses_post to fields on posts with an author that lacks the unfiltered_html capacity. By running all HTML content through this WordPress function (reference), Breakdance ensures that the HTML it renders is not vulnerable to Cross Site Scripting or XSS (reference).