Some Additional Diagnostics using plugin with a large site

Resolved lostpine
(@lostpine)

3 years, 3 months ago

This is not necessarily a support request but some additional information that could help with an issue of using the plugin on a very large site (over 900 pages and posts). I was able to use the plugin successfully on two other sites that I maintain. One with the same theme and one with a different theme. I did not use any category or tag filters and those sites worked perfectly, generating .PDF files of both posts and pages. These sites do not used any filters. I went back to the large site and disabled WP Cerber. I ran the plugin and it does not function. There are two observations I wish to pass on: (1) When I am tracking REST API, the plugin stops functioning at 94 pages. Assumption is that this is the page number of the .PDF file where it stopped. In my test I am filtering on categories and I know that there should be over 100 pages. (2) WP Cerber has an option for inserting a REST API “namespaces” for the plugin. I am not familiar with the function of this term but does PRINT MY BLOG need this in CERBER to function because of some type of space issue?

It looks like the plugin tries to work but just runs out of room somehow and hangs. No error message anywhere that I can detect. I appreciate this plugin’s value and would like to offer this information as a help.

Viewing 10 replies - 1 through 10 (of 10 total)

Plugin Author Michael Nelson
(@mnelson4)

3 years, 3 months ago

Thanks for reporting the issue you’re having and the symptoms you’ve noticed. Is WP Cerber still active on your site? If not (or it is but the REST API is enabled for site visitors), I should be able to try it and figure out what else is going wrong.

About the namespaces: WP Cerber is meant to let you enable certain groups of WP REST API features (aka “endpoints” or “routes”). Print My Blog just uses WordPress’ main features/endpoints/routes, so I don’t think you should need to play with this.

Thread Starter lostpine
(@lostpine)

3 years, 3 months ago

Yes, WP Cerber is still active. I have found that specific plugin to be very good security. I do not enable REST API for site visitors, only logged in admin and that is limited to me. My original intent was to create .PDF files as an archive of pages. I also wanted to experiment with eBooks but have temporarily put that on hold.

Plugin Author Michael Nelson
(@mnelson4)

3 years, 3 months ago

Ok thanks. I’d like to debug what’s going on (because Print My Blog should load all your pages into the print-page, and if it has a problem it should show an error message) but can’t if the REST API is disabled for site visitors like me (unless you were to create a temporary account for me.)

Right now my guess is that there’s some content on one of the pages that is causing a Javascript error, but I can’t know what it is, or how to fix it, unless I am able to run it on your site and see.

If you’re unable to temporarily enable the WP REST API for site visitors or send me temporary access as a user (maybe even a lower privileged user who’s allowed to use the REST API), I don’t have the information I need to figure out what’s going wrong.

Thread Starter lostpine
(@lostpine)

3 years, 3 months ago

You should be able to get to what you need. I have disabled all REST API blocking on the site. I will keep it this way for the next day (24 hr). If this does not do it for you, I will provide admin access but would prefer not to post the password on WordPress. Just send me a private message as to how to get the account information to you.

Plugin Author Michael Nelson
(@mnelson4)

3 years, 3 months ago

Hi @lostpine I just tried your site lostpine.com and it seems your security plugin is still blocking me from using the WordPress REST API (I get an error message when I visit https://lostpine.com/wp-json) and likewise when I try to visit the print page (eg https://www.lostpine.com/?print-my-blog=1).

Have you re-enabled WP Cerber? If so, and if you’d like me to figure out what’s going wrong for you, please disable it and wait at least a full two weekdays to investigate.

And by the way, no you shouldn’t post your password here. If you want to send me access to your site you should use my contact page at https://printmy.blog/contact

Thread Starter lostpine
(@lostpine)

3 years, 3 months ago

Michael,

I had some time to look at the one plugin that is different between the sites I tested where PRINT MY BLOG worked and the large site it did not work on. This large site has had an issue in the past with XSS cross scripting hacking. I had added a plugin: Prevent XSS Vulnerability By Sami Ahmed Siddiqui to address the issue. This plugin specifically is removing the [] characters. While the plugin seems to have a lot of granularity in that I can deactivate the removal of any specific character, I don’t have sufficient background to understand if the characters [] are really necessary or an issue with XSS. Would love some advice if there is just a better way to address these things.

Thread Starter lostpine
(@lostpine)

3 years, 3 months ago

Final note: While plugin Prevent XSS Vulnerability by Sami Ahmed Siddiqui is listed as having no known incompatibilities, the way it works is incompatible with PRINT MY BLOG. I deactivated it, reactivated the original plugin 2.9.8 and it worked perfectly with categories as a filter. FYI

I think this thread should be closed. Thank you for your efforts. The issue with how to prevent XSS and also not strip characters from a URL is a bigger issue than this thread should address.

Plugin Author Michael Nelson
(@mnelson4)

3 years, 3 months ago

Weird I thought I added another reply after https://wordpress.org/support/topic/some-additional-diagnostics-using-plugin-with-a-large-site/#post-13854329, in which I pointed out the characters [] were getting removed (and you seem to have read it). I guess it got automatically removed or something?
Anyways, good identifying Prevent XSS Vulnerability plugin as the conflicting plugin. Their plugin is usually right to remove the [] characters, as they are a bit unusual. And when it comes to security, it’s best to remove everything unusual.

Also, I just learned from https://web.archive.org/web/20130111073815/http://security.bleurgh.net/javascript-without-letters-or-numbers that these, in conjunction with other punctuation characters, can be used for XSS attacks.

But if you’re using Print My Blog, then those square bracket characters are necessary.

So I’d suggest that while using Print My Blog you configure Prevent XSS Vulnerability to allow square brackets, but then undo it when you’re done with Print My Blog.

Does that make sense?
Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

3 years, 3 months ago
@lostpine >> ). If this does not do it for you, I will provide admin access but would prefer not to post the password on WordPress. <<

Please don’t offer to send or post logon credentials on these forums: https://wordpress.org/support/guidelines#the-bad-stuff

You may trust this developer/author, but it normalizes a dangerous practice. It’s a fine line, but one that we need to enforce. Thanks for your cooperation.

@mnelson4

>> If you want to send me access to your site you should use my contact page at<<

While I know you have the best of intentions, it’s forum policy that you not ask users for admin or server access. Users on the forums aren’t your customers, they’re your open source collaborators, and requesting that kind of access can put you and them at high risk.

If they are paying customers (such as people who bought a premium service/product from you) then by all means, direct them to your official customer support system. But in all other cases, you need to help them here on the forums.

Thankfully are other ways to get information you need:
- Ask the user to install the Health Check plugin and get the data that way.
- Ask for a link to the http://pastebin.com/ or https://gist.github.com log of the user’s web server error log.
- Ask the user to create and post a link to their phpinfo(); output.
- Walk the user through enabling WP_DEBUG and how to log that output to a file and how to share that file.
- Walk the user through basic troubleshooting steps such and disabling all other plugins, clear their cache and cookies and try again (the Health Check plugin can do this without impacting any site vistors).
- Ask the user for the step-by-step directions on how they can reproduce the problem.
You get the idea.

We know volunteer support is not easy, and this guideline can feel needlessly restrictive. It’s actually there to protect you as much as end users. Should their site be hacked or have any issues after you accessed it, you could be held legally liable for damages. In addition, it’s difficult for end users to know the difference between helpful developers and people with malicious intentions. Because of that, we rely on plugin developers and long-standing volunteers (like you) to help us and uphold this particular guideline.

When you help users here and in public, you also help the next person with the same problem. They’ll be able to read the debugging and solution and educate themselves. That’s how we get the next generation of developers.

You’ve been placed on “modwatch” until we’re convinced such postings have stopped. Your account has *not* been banned, we just want to check things for a while before they’re public. If you wish to take issue with this, contact moderators via the #forums channel on slack (https://make.wordpress.org/slack)
Plugin Author Michael Nelson
(@mnelson4)

3 years, 3 months ago
Ok thanks for the reminder @sterndata. Sorry yes I had neglected that rule for the sake of my convenience and because it was offered (for the record I originally refused admin access but should have reminded lostpine about the rule too and stood by it). In the future, I won’t point users to my contact page unless they’re paying users, and if they offer admin credentials to a live site I will refuse.

Also, when I mentioned that I couldn’t find my previous reply, I just realized it was because I accidentally posted to the related thread.

Anyways, I created an issue with the other plugin’s developer so they’re aware of the plugin conflict.

I believe this issue is now resolved.
- This reply was modified 3 years, 3 months ago by Michael Nelson. Reason: add what I'll do next time to clarify I understand the policy

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Some Additional Diagnostics using plugin with a large site’ is closed to new replies.