Have you had any reported XSS incidents with plugin?

  • Resolved Arlen

    (@bizwriter)


    7 years, 1 month ago

    Hi Joachim – Tried installing your Content Aware Sidebar today (twice) but didn’t work for me either time. What I did experience shortly after via my Wordfence Traffic report was an alert to an XSS attack when I tried making a change to my footer social media icon URLs. That triggered the XSS report each time. I’m just checking in with you b/c I’m trying to eliminate any potential causes of this issue. Appreciate hearing from you, thanks.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Joachim Jensen

    (@intoxstudio)

    Thank you for reporting this.

    I have not had any reports of XSS attacks done via Content Aware Sidebars, but I do take your concern seriously.

    The plugin shouldn’t be vulnerable to XSS attacks as it doesn’t add any styles, scripts or images to the frontend, and all “sidebar conditions” are handled with prepared SQL queries and never rely on direct user input.
    The sidebars you create in the plugin are registered the same way “normal” WordPress sidebars are.

    In the backend I use the WordPress capability and nonce functions to check for authentication and authorization.

    Does the XSS alert have any detailed information, such as a path?
    When you say that you got the report when editing a footer social media icon, where did this edit take place? In a widget?

    And as a sidenote, could you briefly explain how the plugin didn’t work for you?

    Thread Starter Arlen

    (@bizwriter)

    Thanks for your quick reply! Good to hear you haven’t had any reports to date. I’m not a coder so my knowledge in that department is limited. When you say detailed info such as a path, the info from the traffic report is this: https://www.mywebsite.com/customize changeset uuid=xxxxxxxxx=twentyseventeen-child& customize messenger channel=preview-2

    Is that what you mean?

    Otherwise, I set up the plugin according to the instructions but sidebar did not appear at all on the site. Was replacing the blog page sidebar. Had set content to single column display and was trying to add left sidebar with a search widget.
    Thx

    Plugin Author Joachim Jensen

    (@intoxstudio)

    That message sounds like the problem occurs in the Customizer. I would contact WordFence and ask them about this, and if there is indeed a problem with Content Aware Sidebars, I would of course like to be notified about it, so I can fix it ??

    Currently Content Aware Sidebars does not let you switch the position of a sidebar, only to replace existing ones on specific pages/conditions, or to insert new ones as shortcodes. Switching place would indeed be a good idea, but it would be hard to implement without collaborating with some theme developers.

    Thread Starter Arlen

    (@bizwriter)

    Thanks for your followup, Joachim. Yes, it could very well be a problem with Customizer and I will get back in touch if WF finds otherwise. Thanks for clearing up my problem installing your plugin. Ah well, maybe someday there will be a plugin for what I’m trying to do ??

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Have you had any reported XSS incidents with plugin?’ is closed to new replies.