stephend

If someone can share their PHP settings, that would be useful. I am running PHP 8.1 but do not see any of these errors/warnings. Since I can’t reproduce the issue, I’m left picking off these errors one-by-one as they’re reported, which I don’t think makes anyone happy.

Taking of which: this will be fixed in 1.1.6.

I’ve uploaded an update that will hopefully eliminate the warnings. I have not seen the same issue myself (even after upgrading to PHP 8.1) so I can’t be completely sure that it works. There may still be cases where warnings are shown in the admin screen. I’ll work on that next, when I get the chance.

I’ve uploaded an update that will hopefully eliminate the warnings. I have not seen the same issue myself (even after upgrading to PHP 8.1) so I can’t be completely sure that it works. There may still be cases where warnings are shown in the admin screen. I’ll work on that next, when I get the chance.

As per the other thread, this is something to do with PHP 8.x and/or its configuration.

I have a speculative fix, but I’ve not been able to reproduce the problem on my sites so I can’t be sure that it will work. I might have to release it anyway and see.

If the issue is what I think it is, it’s because something went from being a “notice” in PHP 7.x to “warning” in 8.x. This code has been pretty much unchanged in the plugin since version 0.3, so I’m pretty sure that the warnings were not introduced in the new version this weekend.

It isn’t correct, though, so I will fix when I get the time.

What version of WordPress are you using? What version of PHP are you using?

The thing is, errors you shared reference lines of code that did not change between versions. The only difference is in the admin screen. There are literally no changes in the code that displays the App Banner.

Hopefully this is resolved in 1.1.4.

For those interested, this was more difficult to fix than it might first look. The validation for the affiliate data and app argument is… complicated. There do not seem to be documented rules for what the app argument is, making it difficult to determine what is valid and what is not. I just accept it as text. The app argument is a URL, but you can’t use WordPress built-in validation routines as it is likely a custom URL scheme, and you can only specify an allow-list of valid schemes. In the end, it allows anything that “looks like” a URL but deny-lists Javascript.

This complexity leads to the “hopefully” in the opening paragraph. It is possible that the validation is too strict, and it does not allow some valid options. It’s also possible that the validation is too lax and allows options that it should not.

Let me know if you find either of these cases.

As noted above, the PatchStack link does not have enough information to be able to resolve. Assuming that it’s the same issue noted by chrisaudio, I am working on it.

However, this is only exploitable if you have admin access. And if you already have admin access, you can already display whatever code you want.

I’m unclear if that’s the same vulnerability, but it does actually have enough information to be able to understand it!

I am looking into it. It’s real, but you need admin privileges to do anything with it. Needless to say, if you have admin you can already do what you like.

I’ve been looking into this, but I don’t see any details of the vulnerability.

The banner appears when I view the page. What browser are you using? (It only works in Safari.) Did you see it once and press the ‘X’ in the corner?

I see the banner at the top of the home page. Did you manage to fix it?

For anyone else with the same issue, what I think is going on is this. The list of apps you see in Settings>Smart App Banner are just shortcuts. Deleting entries here does not affect any pages/posts that already use the app.

To change the app used for a page, go to that page and edit the Smart App Banner property for that page, either directly or by choosing the “new” shortcut.

When I look at the page, I see the following tag:

<meta name="apple-itunes-app" content="app-id=ticonnect.net.web">

That the tag is there shows that the plugin is working. However, you have the wrong value in the app-id field. The app-id is the identifier that Apple gave your app. For example, one of mine is “289374576”.

All the plugin does is add some metadata to the web page. The browser then displays (or not) the banner, so, in the general case, this would be an option for Apple or Google to implement. On iOS, if the user taps the ‘X’ to close the banner, it’s not shown again.

If your app has a custom URL scheme, it might be possible to detect that the app is installed but I’ve no immediate plans to try to implement it (and it might not work!).

As far as I know this is a feature of Safari, so no, it doesn’t work in Chrome.

Regards,
Stephen