jedney
Forum Replies Created
-
Forum: Plugins
In reply to: [Events Made Easy] Template Stripping TagsThere’s always a lot of opinions get banded around when it comes to Infosec, I’m a full-time Infosec bod and retired Developer, so I totally get what others have told you and I really can’t disagree with the worst case scenario’s you have highlighted to you.
Infosec done well is a balancing act though – otherwise you risk jeopardising the very outcomes that you are trying to protect.
Just some counter-points that you may or may not want to consider;
True CSRF and XSS are an existential risk, although if an Admin gets hacked or tricked into carrying out tasks there’s a myriad of ways it becomes bad news. Sanitising some of the admin input fields in EME would (IMHO) do nothing to save the day. They could inject rogue code into the HTML fields in the EME database bypassing sanitisation, they could inject through one of the fields that doesn’t have sanitisation, they could add their own javascript to one of the theme files, they could download the database, they could hook into the RSVP feature with a PHP hook, the list goes on.
Initially when I read your comment about the sanitisation for admin posts I was quite surprised, I don’t use posts so I wasn’t familiar with that. Thinking about it a bit more though, posts are short excerpts of (mostly) readonly repeating text blocks that go inside an established page/UI/theme. Because of that, limiting the use of tags to ensure the integrity of the theme/UI makes a lot of sense – you wouldn’t want a single post refining the CSS for every post on the page. On the other hand, the custom templates feature in EME is there (as I understand it) to build a full page/UI (or HTML email), in which case a richer set of tags and controls could reasonably be required.
I just thought it might be useful to put the alternative viewpoint forward, security is rarely black-and-white, context and informed risk judgement are everything. It’s your plugin and I’m certainly not going to push the issue, you will never please everyone! You build this for the good of the community and I (as well as a lot of others) are eternally grateful.
Forum: Plugins
In reply to: [Events Made Easy] Template Stripping TagsThanks Franky. Looks like a decent amount of Google hits for that, I will see what I can find.
Is this something you might consider making configurable in the future please?
One of the StackExchange hits I just read on this confirms my own thoughts that: “You shouldn’t need to run wp_kses() on your own markup though, you should know it’s safe. wp_kses() is generally just for handling untrusted input from users.”
Forum: Plugins
In reply to: [Events Made Easy] Template Stripping TagsHi Franky, thanks for such a quick reply. That explains it.
Is there a wildcard option for the Extra tags? Either per-tag or overall please?
I’ve just been trying to compare what is being stripped and I’m up to 8 tags and many of them have several attributes. Whilst I can probably work this out for this specific template (because I have a before and after to compare), I’m concerned this could happen again in another part of the config and I might not know until someone reports a problem with the site. It could be as subtle as a single attribute on a tag.
I understand the rationale for sanitising user input, but for my particular use-case having div, style and center tags being stripped from admin input is more of a hinderance than an asset. Especially when I’m building HTML templates. If there’s a way to whitelist all tags (effectively turn the sanitisation off) that would be really useful. Alternatively do you know if there’s a list of sanitised tags and attributes available somewhere that I can copy/paste into the ‘Extra html tags’ box please?
Thanks again for your help and for all the time you devote to this awesome plugin.
Forum: Plugins
In reply to: [Events Made Easy] Google Event Markup (JSON)Thanks Josiah, I might try some of those tags instead.
As it stands, my page passes the Google Structured Data Test fine.
I’m quite unsure on whether these should be in the HEAD or BODY. I agree Meta tags are usually in the HEAD. The code I used came from a generator I found online (and then supplemented with some examples from the Google docs). It spat the code out as a single block but didn’t specify where to put it. As the Meta blocks are wrapped in DIV’s and SPAN’s I took it that the tags are designed to add extra markup to visible content (e.g. BODY content). I got the impression the JSON-LD method is more for when you want the tags hidden in the page (e.g. in the HEAD section).
I didn’t want all the hassle of having to wrap and tag all the page as I had just got it the way I wanted, so I cheated and used inline CSS on the parent DIV (display:none) to hide all the Metadata 🙂
Forum: Plugins
In reply to: [Events Made Easy] Google Event Markup (JSON)Good spotting! Thanks.
The total spaces should have been “maximumAttendeeCapacity”.
Thanks again.
Forum: Plugins
In reply to: [Events Made Easy] Google Event Markup (JSON)Thanks Franky.
For anyone else trying to do this, here’s some sample code which you can include in your site (I ended up putting it under the “Default single event format” HTML in the “Events” tab of Settings):
<div itemscope itemtype="http://schema.org/Event" style="display:none"> <meta itemprop="description" content="#_NOTES"> <meta itemprop="remainingAttendeeCapacity" content="#_TOTALSPACES"> <meta itemprop="remainingAttendeeCapacity" content="#_AVAILABLESPACES"> <meta itemprop="startDate" content="#_{Y-m-d}T#_24HSTARTTIME"> <meta itemprop="endDate" content="#@_{Y-m-d}T#_24HENDTIME"> <img itemprop="image" src="#_EVENTIMAGEURL" alt=""/> <link itemprop="url" href="#_EXTERNALURL" rel="author"/> <a itemprop="url" href="#_EXTERNALURL"> <span itemprop="name">#_EVENTNAME</span></a> <div itemprop="location" itemscope itemtype="http://schema.org/Place"> <span itemprop="name" style="display:block;">#_LOCATIONNAME</span> <div itemprop="address" itemscope itemtype="http://schema.org/PostalAddress"> <span itemprop="streetAddress" style="display:block;">#_ADDRESS</span> <div> <span itemprop="addressLocality" style="display:block;">#_TOWN</span>, <span itemprop="addressRegion"style="display:block;">#_STATE</span> </div> <span itemprop="postalCode"style="display:block;">#_ZIP</span> <span itemprop="addressCountry"style="display:block;">#_COUNTRY</span> </div>