Title Settings Additions error or bug

You’ve got a good eye!

This was discovered a month ago, years after a better implementation of the title, which fixed various double-escaping issues.

No workaround has been found since; because the proposed fixes will yield security implications. Please see this issue for more information:
https://github.com/sybrew/the-seo-framework/issues/400

Oh jeez.
You might as well hide that option then. No sense in letting people THINK they are getting a hyphen when they are not.

I spent a lot of time searching through all my settings trying to figure out where that darn en-dash was coming from! And the reason I noticed only now (after using your plugin for months) was seeing it reported through “Smallseotools” SEO checker.

ONE THING THOUGH: If generating a hyphen is a security problem, then what about all those pages and posts that everyone on the interwebs has with hyphens between words? This is now the standard instead of spaces or underscores. if-this-is-an-acceptable-url-then-why-is-your-title-generator-vulnerable?=question

??

I’m sorry you’ve had to waste so much time! In the future, if you notice anything out of the ordinary, please reach out to me; so we can face it together. ??

I want to explain why fixing this brings a security issue, and why we can’t fix this easily.

1: Special character support
The SEO Framework supports all languages, all operating systems, and all your visitor’s browsers; this wasn’t by accident.

Here’s how the sanitization works:
User-inputted data may contain ampersands and diacritic characters. Ampersands can either be inputted as converted (& text...) or not (& text...).

Now, ambiguous ampersands aren’t considered valid in XHTML, nor are diacritic characters on some operating systems; but, we do not want to lose the user-inputted data when fixing these.

So, we first have to “texturize” the title, which converts all meta-characters to corresponding and known values–including the hyphen to a ndash–and then convert the leftover lone ampersands from that process.

When that is finished, we can finally escape the inputted data losslessly, with absolute confidence.

This brings an issue with the hyphen: We have to reroute the sanitization functionality, which brings uncertainty in development, and as such, notorious bugs; including the “context sensitivity” issue mentioned below.

2: Context sensitivity
Edit: bbPress doesn’t allow backticks in code blocks… When you see \u0060, think of a backtick ??

For instance, if a user, on a public WordPress multisite-network like WordPress.com, decides to set its blog name to 0;xss_function_call();\u0060, and then a blog post title to <script>var z=1, then the hyphen will be a valid JavaScript character.

With those inputs, the title will become:

<script>var z=1-0;xss_function_call();\u0060

The backtick at the end helps converting all HTML code to a “template literal”, so only to invalidate all HTML in the content with:

\u0060;</script>

Now, this is an extreme scenario, which is unlikely ever to unfold, as we’ve incorporated a plethora of sanity-checks, in both the front and back-end.

However, rerouting a security-check to support one character isn’t the best way to go. First, we need to rewrite the security functionality, and then we need to perform a full security review.

Note that we sometimes want to unescape the data; for instance, so that we can correctly calculate the values for the pixel and character counters. It took months to get these features both accurate and secure. The example above could very well play a role in this.

So, for now, we know that this process works flawlessly (aside from the hyphen oversight… ?? ), and that it requires serious consideration before we tackle the issue.

I hope this clears that up ??

As for removing the option all-together: Yes, this is under consideration; but, I’ve been awaiting user feedback before doing so. You just gave me a hard push to act on it ??

• This reply was modified 5 years, 9 months ago by Sybre Waaijer. Reason: backtick issues
• This reply was modified 5 years, 9 months ago by Sybre Waaijer. Reason: ampersand issues... bbPress please :(

I appreciate your response and great attitude. Thank you for explaining it! (And yes, I DID read it all!)