Escaped URL to prevent XSS#1047
Conversation
There was a problem hiding this comment.
Pull request overview
This PR aims to prevent XSS by escaping the “page profiler URL” that gets injected into the inline optimizer/profiler script.
Changes:
- Escapes the current page URL when replacing
Profile::PLACEHOLDER_URLinside the optimizer script payload.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
inc/manager.php
Outdated
| $hmac = wp_hash( $profile_id . $time . $this->get_current_url(), 'nonce' ); | ||
| $js_optimizer = str_replace( | ||
| [ Profile::PLACEHOLDER, Profile::PLACEHOLDER_MISSING, Profile::PLACEHOLDER_TIME, Profile::PLACEHOLDER_HMAC, Profile::PLACEHOLDER_URL ], | ||
| [ $profile_id, implode( ',', $missing ), strval( $time ), $hmac, $this->get_current_url() ], | ||
| [ $profile_id, implode( ',', $missing ), strval( $time ), $hmac, esc_url( esc_js( $this->get_current_url() ) ) ], | ||
| $js_optimizer |
There was a problem hiding this comment.
This change alters how the page profiler URL placeholder is rendered into the inline optimizer script, but there doesn’t appear to be any unit coverage asserting that replace_content() outputs a valid optimizer payload when the profiler is enabled (e.g., that pageProfileUrl is correctly escaped and remains consistent with the HMAC inputs). Consider adding a PHPUnit test that enables the profiler, runs replace_content(), and asserts the produced script contains a correctly encoded URL value (and does not contain HTML entity encoding that would change the value).
|
🎉 This PR is included in version 4.2.4 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
All Submissions:
Changes proposed in this Pull Request:
Escaped the page profiler URL to prevent cross-site scripting.
Closes https://github.com/Codeinwp/optimole-service/issues/1688
Other information: