Title: gerobe's Replies | WordPress.org

---

# gerobe

  [  ](https://wordpress.org/support/users/gerobe/)

 *   [Profile](https://wordpress.org/support/users/gerobe/)
 *   [Topics Started](https://wordpress.org/support/users/gerobe/topics/)
 *   [Replies Created](https://wordpress.org/support/users/gerobe/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/gerobe/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/gerobe/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/gerobe/engagements/)
 *   [Favorites](https://wordpress.org/support/users/gerobe/favorites/)

 Search replies:

## Forum Replies Created

Viewing 15 replies - 1 through 15 (of 177 total)

1 [2](https://wordpress.org/support/users/gerobe/replies/page/2/?output_format=md)
[3](https://wordpress.org/support/users/gerobe/replies/page/3/?output_format=md)…
[10](https://wordpress.org/support/users/gerobe/replies/page/10/?output_format=md)
[11](https://wordpress.org/support/users/gerobe/replies/page/11/?output_format=md)
[12](https://wordpress.org/support/users/gerobe/replies/page/12/?output_format=md)
[→](https://wordpress.org/support/users/gerobe/replies/page/2/?output_format=md)

 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Shariff Wrapper] Version 4.6.17 crashed site](https://wordpress.org/support/topic/version-4-6-17-crashed-site/)
 *  Thread Starter [gerobe](https://wordpress.org/support/users/gerobe/)
 * (@gerobe)
 * [3 weeks, 6 days ago](https://wordpress.org/support/topic/version-4-6-17-crashed-site/#post-18881486)
 * After fixing the two bugs already reported (missing sanitization.php and broken
   admin notice), I did a broader code review of 4.6.17 and found four more issues.
 * Bug 1 — Critical: Operator precedence error breaks service validation (shariff.
   php line 413)
 * The security check that prevents invalid service names from being executed has
   its logic inverted due to a PHP operator precedence issue. In PHP, ! has lower
   precedence than ===, so the condition skips valid services and executes invalid
   ones — the exact opposite of what was intended. The whitelist check is completely
   ineffective as written.
 * // actual code – logic is flipped
   if ( !in_array( $service , $valid_services,
   true )===true ) continue;// correctif ( ! in_array( $service, $valid_services,
   true ) ) continue;
 * Bug 2 — Critical: Wrong array key corrupts migration data (updates.php lines 
   301–302)
 * When upgrading from a version older than 4.6.13 the migration routine that renames
   add_before[‘pages’] to add_before[‘page’] reads from a wrong array key. The two
   surrounding lines for ‘posts’ and ‘blogpage’ are correct — only the ‘pages’ line
   has the typo. For any user going through this migration path, the “add buttons
   before pages” setting is silently lost.
 * // actual code – reads from empty key, result is null
   $shariff3uu_basic[‘add_before’][‘
   page’] = $shariff3uu_basic[”][‘pages’];unset($shariff3uu_basic[”][‘pages’]);//
   correct$shariff3uu_basic[‘add_before’][‘page’] = $shariff3uu_basic[‘add_before’][‘
   pages’];unset($shariff3uu_basic[‘add_before’][‘pages’]);
 * Bug 3 — High: Unvalidated $_GET[‘tab’] passed to WordPress core functions (admin-
   menu.php line 2207)
 * The active tab is read directly from $_GET[‘tab’] without sanitization or validation
   and then passed to settings_fields() and do_settings_sections(). A crafted URL
   sent to a logged-in admin could cause arbitrary settings groups to be rendered.
   Fix: strict allowlist + sanitize_key().
 * // actual code
   $active_tab = $_GET[‘tab’];// correct$allowed_tabs = array( ‘shariff3uu_basic’,‘
   shariff3uu_design’, ‘shariff3uu_advanced’,‘shariff3uu_statistic’, ‘shariff3uu_help’,‘
   shariff3uu_status’, ‘shariff3uu_ranking’ );$active_tab = ( isset( $_GET[‘tab’])&&
   in_array( sanitize_key( $_GET[‘tab’] ), $allowed_tabs, true ) )? sanitize_key(
   $_GET[‘tab’] ) : ‘shariff3uu_basic’;
 * Bug 4 — Low: Integer comparisons against string literals (shariff.php, TTL logic)
 * After absint() produces an integer it is compared against quoted string numbers
   in 8 places. PHP coerces types silently so no wrong result occurs, but it is 
   technically incorrect.
 * // actual code
   if ( $ttl < ’61’ ) { $ttl = ’60’; }if ( $ttl > ‘7200’ ) { $ttl
   = ‘7200’; }// correctif ( $ttl < 61 ) { $ttl = 60; }if ( $ttl > 7200 ) { $ttl
   = 7200; }
 * Summary:
    - Bug 1 — shariff.php:413 — Critical — Service whitelist check completely inverted
    - Bug 2 — updates.php:301 — Critical — “Add before pages” setting lost on migration
    - Bug 3 — admin-menu.php:2207 — High — Unvalidated user input passed to WP core
    - Bug 4 — shariff.php (8 places) — Low — Integer vs. string comparisons in TTL
      logic
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Shariff Wrapper] Version 4.6.17 crashed site](https://wordpress.org/support/topic/version-4-6-17-crashed-site/)
 *  Thread Starter [gerobe](https://wordpress.org/support/users/gerobe/)
 * (@gerobe)
 * [3 weeks, 6 days ago](https://wordpress.org/support/topic/version-4-6-17-crashed-site/#post-18881477)
 * After fixing the fatal error caused by the missing `sanitization.php`, a second
   bug in 4.6.17 becomes visible: a persistent admin notice appears on every page
   of the WordPress backend that cannot be dismissed.
 * **Two issues in admin/admin-notices.php:**
 * **1. Hardcoded version number (line 20)**
   The notice reads _“successfully updated
   to version 4.0”_ — regardless of which version is actually installed. The variable`
   $new_version` is correctly fetched one line above but is never used in the output
   string:
 *     ```wp-block-code
       // Line 19 – correct value fetched …$new_version = $GLOBALS["shariff3UU"]["version"];// Line 20 – … but never used, "4.0" is hardcoded insteadecho "… updated to version 4.0 …";
       ```
   
 * **2. Dismiss button invisible (line 20)**
   The close button relies on custom CSS
   classes `shariff_admininfo_cross` and `shariff_cross_icon` that are not defined
   anywhere in the plugin. The button is therefore invisible and the notice can 
   never be dismissed — it reappears on every admin page load for every admin user
   who has not previously clicked it.
 * **Fix:**
   Replace the custom div-based button with WordPress’s built-in `is-dismissible`/`
   notice-dismiss` mechanism (already available in all supported WP versions, no
   extra CSS needed), and replace the hardcoded `"4.0"` with `$new_version`:
 *     ```wp-block-code
       $new_version = isset( $GLOBALS['shariff3uu']['version'] ) ? esc_html( $GLOBALS['shariff3uu']['version'] ) : '4.6.17';echo '<div class="updated notice is-dismissible"><p>';printf( '… updated to version %s …', $new_version );echo '<a href="' . esc_url( $link ) . '" class="notice-dismiss"> …</a>';echo '</div>';
       ```
   
 * **Steps to reproduce:**
    1. Install or update to Shariff Wrapper 4.6.17
    2. Open any WordPress admin page — the notice appears
    3. There is no visible way to close it
 * **Note:** This bug exists independently of the missing `sanitization.php` and
   would affect every installation of 4.6.17 where the admin has not previously 
   dismissed the notice in an earlier version.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Shariff Wrapper] Version 4.6.17 crashed site](https://wordpress.org/support/topic/version-4-6-17-crashed-site/)
 *  Thread Starter [gerobe](https://wordpress.org/support/users/gerobe/)
 * (@gerobe)
 * [3 weeks, 6 days ago](https://wordpress.org/support/topic/version-4-6-17-crashed-site/#post-18881464)
 * The changelog for 4.6.17 states _“sanitize short code uses the same checker like
   admin page now”_. This means the sanitization functions were correctly refactored
   out of the admin page into a new shared file includes/sanitization.php — so that
   both the admin settings page and the `[shariff]` shortcode renderer run through
   identical validation. However, **the file was not included in the released plugin
   package**. The `includes/` directory ships only `phpqrcode.php` and `class-shariff-
   widget.php`.
 * The missing file must define five functions called throughout the plugin:FunctionUsed
   in`strip_hackers()``shariff.php` (9 call sites)`shariff3uu_basic_sanitize()``
   shariff.php:886`, admin/admin-menu.php:59`shariff3uu_design_sanitize()``shariff.
   php:887`, admin/admin-menu.php:117`shariff3uu_advanced_sanitize()``shariff.php:
   888`, admin/admin-menu.php:278`shariff3uu_statistic_sanitize()``shariff.php:889`,
   admin/admin-menu.php:417
 * **Also relevant to the BTC fix in this release:** The changelog states _“update
   BTC address checks to work with recent schemes”_. The regex in `bitcoin.php` 
   already validates both legacy addresses (`1…`/`3…`) and native SegWit bech32 
   addresses (`bc1…`). The same regex needs to be applied in `shariff3uu_advanced_sanitize()`
   when storing the `bitcoinaddress` option — otherwise the admin page accepts addresses
   that `bitcoin.php` would reject (or vice versa). Without `sanitization.php` this
   tightened check never runs at all.
 * **Steps to reproduce:**
    1. Update to Shariff Wrapper 4.6.17
    2. Any page load — site is immediately inaccessible
 * **Fix:** Please add includes/sanitization.php to the plugin package and release
   4.6.18.
 * The changelog made it clear this was a **packaging mistake**, not a logic bug—
   the file was written (the refactoring is correctly referenced everywhere in the
   code) but simply wasn’t committed/included in the zip. The Bitcoin address regex
   in bitcoin.php:18 is already the updated one; the sanitization.php I reconstructed
   uses the exact same pattern.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[cformsII] AJAX error due to in hidden field – Solution](https://wordpress.org/support/topic/ajax-error-due-to-in-hidden-field-solution/)
 *  Thread Starter [gerobe](https://wordpress.org/support/users/gerobe/)
 * (@gerobe)
 * [1 year ago](https://wordpress.org/support/topic/ajax-error-due-to-in-hidden-field-solution/#post-18445565)
 * Thank you for implementing this solution into the official version so fast!
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[cformsII] Please bring cforms2 back](https://wordpress.org/support/topic/please-bring-cforms2-back/)
 *  Thread Starter [gerobe](https://wordpress.org/support/users/gerobe/)
 * (@gerobe)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/please-bring-cforms2-back/#post-17438446)
 * Thank you [@bgermann](https://wordpress.org/support/users/bgermann/) !
 * Good to know you will look into it.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Shariff Wrapper] Replace Twitter with X](https://wordpress.org/support/topic/replace-twitter-with-x/)
 *  [gerobe](https://wordpress.org/support/users/gerobe/)
 * (@gerobe)
 * [2 years, 5 months ago](https://wordpress.org/support/topic/replace-twitter-with-x/#post-17237894)
 * Replace in shariff-twitter.php with this code
 *     ```wp-block-code
       // Colors.
       $main_color = '#000000';
       $secondary_color = '#444444';
       $wcag_color = '#000000';
   
       // SVG icon.
       $svg_icon = '<svg width="32px" height="20px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path fill="' . $main_color . '" d="M14.258 10.152L23.176 0h-2.113l-7.747 8.813L7.133 0H0l9.352 13.328L0 23.973h2.113l8.176-9.309 6.531 9.309h7.133zm-2.895 3.293l-.949-1.328L2.875 1.56h3.246l6.086 8.523.945 1.328 7.91 11.078h-3.246zm0 0"/></svg>';
       ```
   
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Podlove Web Player] Podlove Web Player Vulnerability](https://wordpress.org/support/topic/podlove-web-player-vulnerability/)
 *  [gerobe](https://wordpress.org/support/users/gerobe/)
 * (@gerobe)
 * [2 years, 5 months ago](https://wordpress.org/support/topic/podlove-web-player-vulnerability/#post-17221147)
 * Auch Wordfence meldet das
 * [https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/podlove-web-player/podlove-web-player-571-missing-authorization](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/podlove-web-player/podlove-web-player-571-missing-authorization)
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WebberZone Top 10 — Popular Posts] 3.1.0 update messes up output](https://wordpress.org/support/topic/3-1-0-update-messes-up-output/)
 *  [gerobe](https://wordpress.org/support/users/gerobe/)
 * (@gerobe)
 * [4 years, 1 month ago](https://wordpress.org/support/topic/3-1-0-update-messes-up-output/#post-15544376)
 * Wow! Great! Thank you! Works perfectly.
    What’s the `$args` to disable the thumbnail
   in the backend view?
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WebberZone Top 10 — Popular Posts] 3.1.0 update messes up output](https://wordpress.org/support/topic/3-1-0-update-messes-up-output/)
 *  [gerobe](https://wordpress.org/support/users/gerobe/)
 * (@gerobe)
 * [4 years, 1 month ago](https://wordpress.org/support/topic/3-1-0-update-messes-up-output/#post-15544108)
 * Hello Ajay,
    but I need to see the values in the backend, that reflect the output
   in the frontend (as it used to be before the update). In the frontend I don‘t
   display the count and the daily counter does not reset at midnight. I need a 
   backend-widget, that reflects (and shows) the frontend list. Please bring it 
   back (maybe as a third widget).
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WebberZone Top 10 — Popular Posts] 3.1.0 update messes up output](https://wordpress.org/support/topic/3-1-0-update-messes-up-output/)
 *  [gerobe](https://wordpress.org/support/users/gerobe/)
 * (@gerobe)
 * [4 years, 1 month ago](https://wordpress.org/support/topic/3-1-0-update-messes-up-output/#post-15542932)
 * I can confirm the “mess” on the daily popular widget on the admin page.
 * Since the latest two updates it displays pages there, too. Although I have not
   included the pages to be counted (not selected as “Post types to include” in 
   settings-page/post list).
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[MailPoet Newsletters (Previous)] Version 2.17 broke subscribe-buttons and archive](https://wordpress.org/support/topic/version-2-17-broke-subscribe-buttons-and-archive/)
 *  Thread Starter [gerobe](https://wordpress.org/support/users/gerobe/)
 * (@gerobe)
 * [4 years, 5 months ago](https://wordpress.org/support/topic/version-2-17-broke-subscribe-buttons-and-archive/#post-15128455)
 * Thank you for the quick fix!
    With version 2.18 the archive and the subcribe-
   forms are working again.
 * Except: When using the date-placeholders in a newsletter (e. g. [date:d] [date:
   y] …) the newsletter in the archive always shows todays date and not the date
   the newsletter was sent.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[PublishPress Checklists: Pre-Publishing Approval Checklist - Validate Post Requirements] Anchor links are treated as incorrect](https://wordpress.org/support/topic/anchor-links-are-treated-as-incorrect/)
 *  Thread Starter [gerobe](https://wordpress.org/support/users/gerobe/)
 * (@gerobe)
 * [5 years, 1 month ago](https://wordpress.org/support/topic/anchor-links-are-treated-as-incorrect/#post-14265965)
 * Unfortunately this bug has not been fixed in the latest releases. When will it
   be fixed?
 * Additionaly I noticed, that a link with a ! is also marked as wrong like in [https://taz.de/!1406465/](https://taz.de/!1406465/)
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[PublishPress Checklists: Pre-Publishing Approval Checklist - Validate Post Requirements] Anchor links are treated as incorrect](https://wordpress.org/support/topic/anchor-links-are-treated-as-incorrect/)
 *  Thread Starter [gerobe](https://wordpress.org/support/users/gerobe/)
 * (@gerobe)
 * [5 years, 1 month ago](https://wordpress.org/support/topic/anchor-links-are-treated-as-incorrect/#post-14191313)
 * Thank you!
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[PublishPress Checklists: Pre-Publishing Approval Checklist - Validate Post Requirements] Anchor links are treated as incorrect](https://wordpress.org/support/topic/anchor-links-are-treated-as-incorrect/)
 *  Thread Starter [gerobe](https://wordpress.org/support/users/gerobe/)
 * (@gerobe)
 * [5 years, 1 month ago](https://wordpress.org/support/topic/anchor-links-are-treated-as-incorrect/#post-14190569)
 * Hi [@stevejburge](https://wordpress.org/support/users/stevejburge/)
 * > Are you asking about the “All links use a valid format” requirement?
 * Yes, right.
 * > Are you using Gutenberg, or an alternative?
 * I still use the classic editor with WP 5.7 (switched from Guttenberg with the
   plugin »Classic Editor«)
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Yoast SEO - Advanced SEO with real-time guidance and built-in AI] Optimizing of SEO data does not last](https://wordpress.org/support/topic/optimizing-of-seo-data-does-not-last/)
 *  Thread Starter [gerobe](https://wordpress.org/support/users/gerobe/)
 * (@gerobe)
 * [5 years, 2 months ago](https://wordpress.org/support/topic/optimizing-of-seo-data-does-not-last/#post-14044248)
 * Hello,
    the Test Helper seems to have worked. Thank you!

Viewing 15 replies - 1 through 15 (of 177 total)

1 [2](https://wordpress.org/support/users/gerobe/replies/page/2/?output_format=md)
[3](https://wordpress.org/support/users/gerobe/replies/page/3/?output_format=md)…
[10](https://wordpress.org/support/users/gerobe/replies/page/10/?output_format=md)
[11](https://wordpress.org/support/users/gerobe/replies/page/11/?output_format=md)
[12](https://wordpress.org/support/users/gerobe/replies/page/12/?output_format=md)
[→](https://wordpress.org/support/users/gerobe/replies/page/2/?output_format=md)