Bug with password-protected pages

  • Resolved pnaw10

    (@pnaw10)


    8 years, 2 months ago

    On the settings page for the plugin, I have the following option turnd OFF: “Use for WordPress Pages – Show the SNAP metabox and auto-post for pages, not just posts.”

    As a result, the SNAP options do not appear on the Page editor screen — it only appears for the Post editor screen.

    However, it appears that the NXS/OG meta tags are still embedded into Pages. (Even when I temporarily enabled SNAP options for Pages, there is no option to control the plugin’s generation of Open Graph tags.) As a result, sensitive content which appears near the top of a password-protected page is being “skimmed” into the og:description meta tag within the “NXS/OG” block for that particular page. So even if someone hasn’t entered the password to view the page yet, they can look at the HTML source and find the sensitive information because your plugin displays it in the meta tag, even before the password is entered.

    This is a rather notable security flaw which should probably be addressed.

    For now, I turned off SNAP’s Open Graph function. Reloaded the page in question. The OG tags are gone (as is the sensitive information that shouldn’t be accessible until the Page password is entered).

    However, this disables the OG tags for the entire site, not just the page in question. So now I’ll need to figure out which one of my other plugins can take over in terms of generating OG tags for me… and test each of those to make sure they are capable of respecting the content of a password-protected Page.

    A quick fix might be to give each Post/Page an option to disable OG tags for just that Post/Page only, even if the user has other SNAP functions disabled for their Pages. Or, the plugin could perform a check when page is saved: IF post/page is password-protected, THEN replace the usual og:description tag with “This item is password-protected.”

    Or IF a page/post is password-protected, THEN automatically disable the OG tags for that page/post altogether. After all, most password-protected pages are intended for personalized/limited audiences anyway, not for the kind of sharing that would necessitate OG tags.

    Thank you for your consideration.

    https://wordpress.org/plugins/social-networks-auto-poster-facebook-twitter-g/

Viewing 1 replies (of 1 total)
  • Plugin Author NextScripts

    (@nextscripts)

    8 years, 2 months ago

    Our OG tags implementation is very simple and limited. It should be used only as fallback for people who are unable to setup OG tags properly.

    Please disable our OG tags in the setting and use some proper implementation from some SEO plugin or specific OG tags plugin.

Viewing 1 replies (of 1 total)
  • The topic ‘Bug with password-protected pages’ is closed to new replies.