"Secret" data for the block

[danielbachhuber]

Just wanted to log this while I'm thinking of it.

The HTML comment storage paradigm doesn't permit "secret" data to be entered by the end user, and then be interpreted / rendered differently by the presentation layer.

[westonruter]

Secret data could be like a private RSS feed URL?

[danielbachhuber]

Secret data could be like a private RSS feed URL?

Right, as one example. API key as another example.

[aduth]

Yeah, this is a good question. An example could be a Gravatar block where the email address from which the image hash is generated shouldn't really be made available in the markup of the page.

Two options I could imagine:

• As part of front-end content filtering, strip all block comments
• Set expectations that private data is not to be stored. Alternatives could include using shortcodes instead, though might either defeat the purpose of a comment block or at least be less convenient.

[danielbachhuber]

I had another idea while I was out: have a lightweight API for storing the actual data in post meta, and only including a reference to the data in the HTML comment.

While this would violate the principle of storing all user data in post_content, it does open the door to storing data in post meta that doesn't make sense in a HTML comment.