Theme’s javascript exposing too much

  • Resolved marcing00

    (@marcing00)


    6 years, 1 month ago

    Good morning,
    I recently instaled this theme. What I discovered is that by looking at the page source, the theme includes some javascript which is exposing some information about life links which could be run by an attacker.

    I’m wondering if there is a workaround to either hide this/improve the theme or remove ?

    Here is an example from my testing site:

    ————————–
    <script type=’text/javascript’>
    /* <![CDATA[ */
    var CZRParams = {“assetsPath”:”https:\/\/www.my.website.com\/wp-content\/themes\/customizr\/assets\/front\/”,”_disabled”:[],”centerSliderImg”:”1″,”isLightBoxEnabled”:”1″,”SmoothScroll”:{“Enabled”:true,”Options”:{“touchpadSupport”:false}},”isAnchorScrollEnabled”:””,”anchorSmoothScrollExclude”:{“simple”:[“[class*=edd]”,”.carousel-control”,”[data-toggle=\”modal\”]”,”[data-toggle=\”dropdown\”]”,”[data-toggle=\”czr-dropdown\”]”,”[data-toggle=\”tooltip\”]”,”[data-toggle=\”popover\”]”,”[data-toggle=\”collapse\”]”,”[data-toggle=\”czr-collapse\”]”,”[data-toggle=\”tab\”]”,”[data-toggle=\”pill\”]”,”[data-toggle=\”czr-pill\”]”,”[class*=upme]”,”[class*=um-]”],”deep”:{“classes”:[],”ids”:[]}},”timerOnScrollAllBrowsers”:”1″,”centerAllImg”:”1″,”HasComments”:””,”LoadModernizr”:”1″,”stickyHeader”:””,”extLinksStyle”:””,”extLinksTargetExt”:””,”extLinksSkipSelectors”:{“classes”:[“btn”,”button”],”ids”:[]},”dropcapEnabled”:””,”dropcapWhere”:{“post”:””,”page”:””},”dropcapMinWords”:””,”dropcapSkipSelectors”:{“tags”:[“IMG”,”IFRAME”,”H1″,”H2″,”H3″,”H4″,”H5″,”H6″,”BLOCKQUOTE”,”UL”,”OL”],”classes”:[“btn”],”id”:[]},”imgSmartLoadEnabled”:””,”imgSmartLoadOpts”:{“parentSelectors”:[“[class*=grid-container], .article-container”,”.__before_main_wrapper”,”.widget-front”,”.post-related-articles”,”.tc-singular-thumbnail-wrapper”],”opts”:{“excludeImg”:[“.tc-holder-img”]}},”imgSmartLoadsForSliders”:”1″,”pluginCompats”:[],”isWPMobile”:””,”menuStickyUserSettings”:{“desktop”:”stick_always”,”mobile”:”stick_always”},”adminAjaxUrl”:”https:\/\/www.my.website.com\/wp-admin\/admin-ajax.php”,”ajaxUrl”:”https:\/\/www.my.website.com\/?czrajax=1″,”frontNonce”:{“id”:”CZRFrontNonce”,”handle”:”72910f34e7″},”isDevMode”:””,”isModernStyle”:”1″,”i18n”:{“Permanently dismiss”:”Permanently dismiss”},”frontNotifications”:{“welcome”:{“enabled”:false,”content”:””,”dismissAction”:”dismiss_welcome_note_front”}}};
    /* ]]> */
    </script>
    ————————–

    Marcing

Viewing 3 replies - 1 through 3 (of 3 total)
  • Theme Author presscustomizr

    (@nikeo)

    Hello, the theme uses the WordPress built-in wp_localize_script() function to add javascript variables on front. The values of those variables are then used by the front javascript, typically to add effects or styling.
    The theme does not expose any critical or private data doing so.
    In your example, which type of “life links”, or critical data are you referring too ?
    Thanks

    Thread Starter marcing00

    (@marcing00)

    You are right…
    I noticed some links and I thought that this might be because of the theme..

    Example:
    ”https:\/\/www.my.website.com\/wp-admin\/admin-ajax.php”

    Looks like it is more for wordpress in general..
    Probably topic is more for WordPress itself…

    Sorry for false alert related to the theme.. I love it anyway

    Theme Author presscustomizr

    (@nikeo)

    OK no worries, this will help users having similar questions.
    the admin-ajax.php url is the end point of the WordPress ajax API. The url is the same for any WP website, there’s no problem to print it as JS var on front.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Theme’s javascript exposing too much’ is closed to new replies.