Hi @designful,
I took a look at your plugin, and it triggers the XSS rule with the parameter fieldform.
We’re not able to whitelist specific plugins at this time, however I can recommend making a very small change to your plugin and this will allow your plugin to work without whitelisting.
1. Edit /assets/js/scc.js on line 512
Change it to:
fontType: fontType, colorPicker: colorPicker, servicepricefontsize: servicepricefontsize, adminsettingsid: adminsettingsid, description: costcalculatordescription, fieldname: fieldName, fieldPreview: JSON.stringify(SectionName), fieldform: btoa(jQuery('#allinputstoadd').html().trim()) },
I added btoa to fieldform: btoa(jQuery('#allinputstoadd').html().trim())
2. Edit /stylish-cost-calculator.php on line 102
Change it to:
$query = $wpdb->prepare( "INSERT INTO {$wpdb->prefix}scc_forms (id, description, formname, ajaxform, formstored) VALUES (NULL, %s, %s, %s, %s)", like_escape($_POST['description']), like_escape($_POST['fieldname']), like_escape(base64_decode($_POST['fieldform'])), like_escape($_POST['fieldPreview']));
I added base64_decode to base64_decode($_POST['fieldform'])
—
What this does is base64 encodes the data within fieldform so that it won’t get caught by the firewall, and then once it reaches your PHP script, it decodes the data back into plaintext for processing.
I just ran a test on my own server and it was not blocked by Wordfence.
Can you give this a try? And if it works, make changes to your plugin?
Dave
