thaikolja

Hi,

I’ve just realized that I’ve hade a mixup when I committed the changes to the plugin repository.

It should now be displayed everywhere als 2.1.0.

Hi @blackboxz,

The beta version is already done. However, after posting the link here, the mods, I presume, deleted it again (I don’t know why; it must have been one of their rules).

If you still like to test it, which I’d be happy for, please contact me via my email address kolja.nolte on gmail.com.

As we speak ?? Wanna be a beta tester?

Is this still a thing? If yes, please explain it so I can reproduce it.

All updates will go through the default WP update page.

Hi @immaterial .

I’m sorry, I did not manage to reproduce the issue you haved.

Do you think it’s possible to send me a .zippped-Version of your actual site for me to download so I can tinker around until it works?

That’s strange since Gutenberg blocks (and that’s what’s rendered on the front-page) should strip shortcodes (unless it’s the actual shortcode block).

Can you please tell me where exactly you’re using the shortcode? I’m testing it by adding the shortcode into the first paragraph so it’s automatically added to the core/post-excerpt block, as seen here.

So, when you use the shortcode, it displays a wrong secondary title on your home (index) page? I’m asking because here, it doesn’t display anything at all. This must have something to do with WP’s relatively new FSE templates (<!-- wp:post-excerpt /-->)/

Hi @immaterial,

Thanks for bringing this to my attention. I’ll try to replicate this issue and get back to you shortly. If there’s anything I need to take into account in order to reproduce it, please let me know.

Hi @all,

I will implement a fix for the XSS vulnerability soon. Since there’s no real way around it, I’ll restrict the usage of HTML to the settings page only.

Thanks for all your suggestions.

Hi @kdowns,

Thanks for taking the time and giving your advice.

Unfortunately, most users do use HTML within the secondary title. Stripping tags would therefore render the plugin more or less useless. The only thing I can think of is to decouple the formatting part to the settings page, as you’ve pointed out. Any specific advise on this?

Hi @blackboxz and others,

To be honest, I am considering giving it up. Being a plugin developer for WordPress in 2023 is different than how it was when I made Secondary Title a couple of years ago. The community has changed as well; instead of feedback, I only hear demands as if I had a legal responsibility to keep the plugin up to date until I die. You can see an example in @show-up-strong’s post.

In addition to that, I’m unable even to offer the help I want to give the users of my plugin because it violates WP.org’s forum rules. My comments regularly get moderated and only become visible once mods have checked them. I was also threatened that my account would be deleted. This has left a bitter taste and pushed me even further away from the WP community.

The security issue is another thing. Unfortunately, I’ve never been informed by the auditor and to this day have zero information on what exactly has to be fixed. There’s only one way to eliminate any possible XSS scenarios, which is escaping sequences for user input (title format or the secondary title itself), which would render the entire “Title format” feature of the plugin useless.

That’s why I’m asking myself: is this all still worth it?

Hi all,

I’m working on it as we speak. However, those companies aren’t really revealing ANY data whatsoever that could at least help reproduce the attack. Until then, I have to keep digging.

Small gain: The vulnerability is not very high.

If you’d like to help, I could find a copy of your “Health Manager” diagnosis text report helpful.

Sorry for being so late, but I will still fix this.

Hi @marekvbeek,

Sorry for getting back to you so late.

That’s definitely something on my list. It sounds like you have developing knowledge yourself, so feel to fork, and I’ll merge it since I can’t devote my entire day to this ??