Pascal Birchler
Forum Replies Created
-
Forum: Plugins
In reply to: [Plugin Check (PCP)] Uploading data filesSecurity-wise,
move_uploaded_filedoesn’t really do much validation and people usually use it without any additional validation either. Then there are also reliability issues on certain filesystem setups with different permissions etc. For these reasons it’s always advisable to use the functions provided by WordPress for such things. Then you are on the safe side.For specific questions about plugin submission, please ask in the #pluginreview Slack channel.
Forum: Plugins
In reply to: [Plugin Check (PCP)] Question about direct database call warningsThese are warnings because it means you probably want to take a closer look at the code in question and decide whether they really apply in your use case or not. The checks are static as they don’t actually run your code, so they can’t know whether you are already using caching for example.
Since you have your own custom database tables, there’s obviously no way around doing direct database calls, so I’d say you can ignore the first one.
The caching recommendation depends very much on how your plugin is setup, what the code does, how often it runs etc. The idea behind it is that caching expensive queries in an external object cache is often times cheaper than fetching it from the database every single time.
This particular query looks very simple though, so you probably don’t get any benefit from simply caching that one alone. But again, depends on the larger context. It can’t hurt to read up on the cache API documentation though to see for yourself 🙂Forum: Plugins
In reply to: [Plugin Check (PCP)] Confused by warningAFAIK you can use WP in a plugin name, but it’s kinda pointless/redundant. It already is a WordPress plugin, no need to mention in the title that it’s for WordPress.
I recommend asking in the #pluginreview Slack channel if you have more questions or a concrete example.
Forum: Plugins
In reply to: [Plugin Check (PCP)] Does it really have to pass all checks?It’s impossible to say what your plugin does differently vs. others without being able to actually look at either of them.
Generally speaking the “Plugin repo” check is the important one for plugin directory submission. If you have any clarifying questions, I recommend asking in the #pluginreview Slack channel.
Personally I don’t see why you would want to have
.htaccessfiles in your plugin, it doesn’t make sense to me.Hi there,
Do you perhaps have any steps to reproduce for us, which plugin is this happening for?
Forum: Plugins
In reply to: [Web Stories] Translating Web Stories to RUHi there,
Can you please share the link to your website?
Also, please share your Site Health information from WordPress admin -> Tools -> Site Health -> Info -> Copy to clipboard.
Usually situations like this exist because of some outdated PHP version or extension. Try a different version or ask your hosting provider to update your PHP version to the latest version.
Also test to see if this still occurs with all other plugins disabled.
Awesome, thanks a lot for your contribution!
Forum: Plugins
In reply to: [Web Stories] Deleting Plugin Affect Existing Stories?Hi there,
If you deactivate or uninstall the plugin, your existing stories will no longer work as they will no longer be accessible.
Forum: Plugins
In reply to: [Web Stories] Webstories as carousellWeb Stories Widgets For Elementor is developed by a third-party, not by us. If it doesn’t support certain features, you need to reach out to their support.
The Web Stories plugin itself has a dedicated block for the block editor, which does supports things like a carousel.
Forum: Plugins
In reply to: [Web Stories] amp story missing tagHi there,
Did you set a default logo in the settings. In the editor under the “Document” tab, did you also choose a logo? Please share a screenshot of what you see in the settings and in the editor. Thanks!
I don’t know how you came up with
amp_story_attributes, but that filter does not exist, nor would you need to add any PHP code to add the publisher logo.Hi there,
This is the support forum for the Web Stories plugin. For general questions and help with things like the Gallery block, please use the general “Fixing WordPress” forum.
FWIW, I don’t think the Gallery block supports videos. It only supports images, so you will need to add actual images to it.
Hi there,
How is this related to Web Stories? You do not appear to be using the Web Stories plugin.
Forum: Plugins
In reply to: [Preferred Languages] Version 2.2.2 has an XSS vulnerabilityFWIW while this still a core issue (tracked in https://core.trac.wordpress.org/ticket/61341) and this whole report was incorrect and this plugin already does all the usual input sanitization, I went ahead and added some extra hardening to the plugin just so Patchstack will fix their report.
Forum: Plugins
In reply to: [Preferred Languages] Version 2.2.2 has an XSS vulnerabilityUgh, Patchstack.
I already told them this privately, but here we go again:
There is no bug in this plugin itself.
You can get the same behavior by updating the WPLANG option to ‘);alert(‘XSS’);console.log(‘ in wp_options and then going to the post editor. Same effect.
The script execution happens because of this line here where Moment.js is localized: https://github.com/<wbr>WordPress/wordpress-develop/<wbr>blob/<wbr>3d139fdf61ae62b51ac26ad28fd2ef<wbr>d89758f173/src/wp-includes/<wbr>script-loader.php#L144-L145
So if anything, this needs hardening in WordPress core. However, self-XSS issues within wp-admin requiring users with unfiltered_html capability are not under the scope of the WordPress HackerOne program. So a public trac ticket for wrapping the usage there in esc_js() is probably the best option.
Forum: Plugins
In reply to: [Web Stories] Amp plugin for webstoriesYou do not need to use AMP on the rest of your website if you want to use Web Stories. It is a self-contained plugin, so you do not need any additional AMP plugin.