Do Not Grant Any Level Of Oxygen Access To Untrusted Users
Access to Oxygen should only be granted to trusted users. This is because Oxygen provides the ability to execute arbitrary PHP code, so any user granted access to Oxygen could execute code to do literally anything to your site. Do not grant ANY LEVEL of Oxygen access to untrusted users.
This includes "Edit Only" access, which should only be granted to trusted users.
Shortcode Signing
For security reasons, Oxygen signs all of its shortcodes. This signature is generated based, in part, on your site URL. If your staging URL and live URL do not match exactly, you will always have to regenerate Oxygen's shortcode signatures after a push/pull. This can only be circumvented by disabling shortcode signing under Oxygen -> Settings -> Security. We strongly recommend against disabling shortcode signing as this can present a security risk for your site.
You can choose to prevent Oxygen from executing its shortcodes if they lack a valid signature by selecting "Check Oxygen's shortcodes for a valid signature before executing". As of Oxygen v3.2, an invalid signature warning will only be shown in the WordPress admin area and not on the front-end of the site.
To harden Oxygen against potential attacks, it is highly recommend you enable this option. It is enabled by default for new installs of Oxygen 2.1 and up.
If you wish to show the invalid signature warning on the front-end of the site, you can enable "Show invalid shortcode signature warnings on the front end" via Oxygen -> Settings -> Security.
Shortcode Signing Explained
Oxygen stores the elements on your page as WordPress shortcodes. At runtime, those shortcodes are compiled into PHP, HTML, CSS, and JavaScript.
If another plugin on your site has a security hole which lets unauthorized users execute shortcodes, they could execute Oxygen's shortcodes. Since Oxygen's shortcodes allow for the execution of PHP, they could run any arbitrary PHP code they want on your site - in other words, change your admin password, steal all your user data, or do literally anything else.
Of course, this attack would require another plugin to be present on your site with a security flaw that allows unauthorized users to execute shortcodes. But since it is likely many of these plugins are floating around, it is highly recommended you enable this option.
The only way to generate a valid signature is to have access to the signing keys, which are unique and randomly generated when you install Oxygen. These are stored in your wp_options table, so only a site admin or an attacker who could otherwise read data from your database could get the keys and sign a shortcode.
Further reading: http://www.pritect.net/blog/wordpress-shortcode-injection-attack-vector
WordPress Multisite
By giving users on a multisite network access to Oxygen, you’re giving them the ability to write PHP code from within Oxygen using elements like Code Block or Easy Posts.
Obviously, this means they could they could execute any arbitrary PHP code - just like if you gave them the privilege to install plugins or edit theme PHP files.
Filtering Untrusted Dynamic Data
Oxygen allows you to output dynamic data on the front-end. This data is output unfiltered.
For most sites, only trusted users are able to create data that is used via Oxygen's dynamic data functions, so filtering is unnecessary.
If you are allowing untrusted parties to create data that is then output via Oxygen's dynamic data functions, you need to make sure it is filtered to mitigate the risk of an XSS attack.
Since Oxygen 4.8.1, we provide a filter for running all (or some) dynamic data through wp_kses_post() before outputting it on the front-end. This native WordPress function filters out dangerous HTML and outputs safe HTML. You can see a list of all of the tags allowed by wp_kses_post() here. Note that wp_kses_post() also filters out some specific attributes, so be sure to test thoroughly if you implement this filter.
If you wish to filter all dynamic data values through wp_kses_post() before output, use this snippet via a Code Snippets or custom functionality plugin:
If you know that only certain types of dynamic data may contain untrusted values, you can filter dynamic data by handler instead. You can find a full list of Oxygen dynamic data handler names here.
Here is an example code snippet for filtering dynamic data fetched via the oxygen_meta and oxygen_custom handlers only:
If you have contributor+ level users on your site and they can write custom field values on posts, it's recommended to filter at least the oxygen_meta handler as shown in the above snippet.
