This is from here
The pain of the choice.
What I am more worried, is why a Plugin like https://de.wordpress.org/plugins/syntaxhighlighter/ would be vulnerable, in its CP compatible versions (see https://patchstack.com/database/vulnerability/syntaxhighlighter), versus a JS library added to Theme or Plugin.
I am sorry if this is a noob question, I assume the vulnerabilities only can exist if the code actually does some queries, or else backend interactions (like a WP Plugin forcedly would do), which the libs shared above by you do not, since they take what’s “on page” and just highlight it.
What I want to know if both those libs can be deemed safe to use without any further concern or if we need to vet them further
I can implement them in a few minutes, I have already tried both locally and I think I would go for the Prism one as it has more granular control over what script types to highlight and without further ado looks quite good, whereas the Ejs needed some tweaking of the CSS and requires a inline JS to be added in order to work.
Also Prism forces (and works on)
code tags, which is seemingly the semantically correct thing to use.
Thus the only detail left here to clarify is security.
Sorry for not splitting the topic “properly”, I can’t, somehow this is only allowed to Admins.