oferwald

Hi,

It was really nice of you to make a video, and it took me a while to get the time to watch this thoroughly

Some comments:
1. To remove the logo, you can simply use an option in the settings 🙂
2. Your z-index for the header is extremely high, so the translation interface gets behind
3. Since it seems like you wanted only administrators to translate, you should have probably ticked off anonymous, this also makes the work on resizing this text a bit unnecessary as users won’t even see it
4. The translation editor will only show you translations made by humans, I should probably work on this more
5. You don’t need to use the .css !important that much, you surely can, but when you have very specific rules for our classes its probably not needed

Nice work, and again, thanks for sharing.

Pictures please, my guessing powers are deplated

Please provide more details, also – feel free to wrap that button in a no-translate class

Hi,

I am not quite sure by what you mean regarding things disappearing, this normally should not happen, any caching solution in place?

I knew I will be wasting my time on this, but I did curious, so I signed in, validated using some one time email, validated, agreed to sale my soul (maybe) and got their report,

I will give you an example of a medium priority bug in the “report”:
The POST parameter ‘_wp_http_referer’ is received in line 829 of the file transposh-translation-filter-for-wordpress/wp/transposh_admin.php in the method transposh_plugin_admin::on_save_changes().

This is titled an “open redirect” and given a medium priority, and here is the “explanation” with lots of bells and whistles:
An open redirect vulnerability occurs when unsanitized user input is used as an URL in a redirect operation. An attacker can craft a malicious link to the affected domain that will then redirect to a malicious domain without the user’s awareness. The malicious domain could serve malware or a phishing website. Furthermore, JavaScript can be executed in the victims browser by prepending a javascript: protocol handler to the URL. To prevent this, all allowed URLs for redirection should be validated against a whitelist.

After reading this, you might get really worried, since the attacker can craft a malicious link to your site that will redirect somewhere, muhahahah!

However, it is not taken into account that this is a redirection that happens in your admin pages, right after saving the params if a changed setting page.
This function is not accessible from the outside, can never be used in the described way, and since the redirect happens on one’s site, whitelisting the site does not really make much sense anyhow, so I can change the code to bypass this.

I also have 97 reports on “information leakage” that will happen when you are enabling logging in some special way. and a severe sql injection that can only be triggered if you are the admin of your site. (I will fix it just to reduce my score, not that it will change anything meaningful)

I will spare you the rest of the details here. And I can not give any 100% guarantees regarding the security of the plugin, but the frightening score is just that, frightening, and if you are afraid that the plugin will be used by you to hack your own site, don’t use our plugin and look for alternatives.

I hope this will conclude the issue for the time being.

I don’t want to waste my time on this, don’t want to register on their site and share any information with them (security, or not security?) There was one time that an XSS (Cross site scripting) was discovered on this plugin, the finders approached me, explained the problem which I fixed. If those coderisk guys would have anything they can contact me. (Or any other developer with such “extreme risk”) and make the world a better place.

I am not saying that there are no security issues with the plugin, and that I think it is 1000% safe. But as far as I know it is, and I don’t need static reports that always find something to tell me otherwise. If you find any security risk, (a real one) please let me know, or exploit it, depending on the person you are.

Hi,

I think your problem is the very special character ‘😉’ try wrapping it with a no_translate class where it is used