Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3212153

Timestamp:

12/23/2024 12:06:24 PM (16 months ago)

Author:

sasiddiqui

Message:

Bump to v2.0.2

Location:

prevent-xss-vulnerability

Files:

: 6 added
: 6 deleted
: 10 edited
: 9 copied

tags/2.0.2 (copied) (copied from prevent-xss-vulnerability/trunk)
tags/2.0.2/admin/class-prevent-xss-vulnerability-admin.php (modified) (4 diffs)
tags/2.0.2/admin/class-prevent-xss-vulnerability-reflected-settings.php (modified) (11 diffs)
tags/2.0.2/admin/class-prevent-xss-vulnerability-self-settings.php (modified) (4 diffs)
tags/2.0.2/admin/index.php (copied) (copied from prevent-xss-vulnerability/trunk/admin/index.php)
tags/2.0.2/assets/css/about-plugins-2.0.0.min.css (deleted)
tags/2.0.2/assets/css/about-plugins-2.0.2.min.css (added)
tags/2.0.2/assets/css/admin-style-2.0.0.min.css (deleted)
tags/2.0.2/assets/css/admin-style-2.0.2.min.css (added)
tags/2.0.2/assets/js/script-2.0.0.min.js (deleted)
tags/2.0.2/assets/js/script-2.0.2.min.js (added)
tags/2.0.2/changelog.txt (copied) (copied from prevent-xss-vulnerability/trunk/changelog.txt) (1 diff)
tags/2.0.2/includes/class-prevent-xss-vulnerability-frontend.php (copied) (copied from prevent-xss-vulnerability/trunk/includes/class-prevent-xss-vulnerability-frontend.php)
tags/2.0.2/includes/class-prevent-xss-vulnerability.php (copied) (copied from prevent-xss-vulnerability/trunk/includes/class-prevent-xss-vulnerability.php) (1 diff)
tags/2.0.2/includes/index.php (copied) (copied from prevent-xss-vulnerability/trunk/includes/index.php)
tags/2.0.2/index.php (copied) (copied from prevent-xss-vulnerability/trunk/index.php)
tags/2.0.2/prevent-xss-vulnerability.php (copied) (copied from prevent-xss-vulnerability/trunk/prevent-xss-vulnerability.php) (2 diffs)
tags/2.0.2/readme.txt (copied) (copied from prevent-xss-vulnerability/trunk/readme.txt) (5 diffs)
trunk/admin/class-prevent-xss-vulnerability-admin.php (modified) (4 diffs)
trunk/admin/class-prevent-xss-vulnerability-reflected-settings.php (modified) (11 diffs)
trunk/admin/class-prevent-xss-vulnerability-self-settings.php (modified) (4 diffs)
trunk/assets/css/about-plugins-2.0.1.min.css (deleted)
trunk/assets/css/about-plugins-2.0.2.min.css (added)
trunk/assets/css/admin-style-2.0.1.min.css (deleted)
trunk/assets/css/admin-style-2.0.2.min.css (added)
trunk/assets/js/script-2.0.1.min.js (deleted)
trunk/assets/js/script-2.0.2.min.js (added)
trunk/changelog.txt (modified) (1 diff)
trunk/includes/class-prevent-xss-vulnerability.php (modified) (1 diff)
trunk/prevent-xss-vulnerability.php (modified) (2 diffs)
trunk/readme.txt (modified) (5 diffs)

Legend:

: Unmodified
: Added
: Removed

prevent-xss-vulnerability/tags/2.0.2/admin/class-prevent-xss-vulnerability-admin.php

-                      r2564460
+                      r3212153
             'Prevent XSS Vulnerability',
             'Prevent XSS Vulnerability',
             'administrator',
+            'activate_plugins',
             'prevent-xss-vulnerability-reflected-settings',
             array( $this, 'reflected_settings' ),
 …
             'Reflected Cross-site scripting Settings',
             'Reflected XSS',
             'administrator',
+            'activate_plugins',
             'prevent-xss-vulnerability-reflected-settings',
             array( $this, 'reflected_settings' )
 …
             'Self Cross-site scripting Settings',
             'Self-XSS',
             'administrator',
+            'activate_plugins',
             'prevent-xss-vulnerability-self-settings',
             array( $this, 'self_xss_settings' )
 …
             'About Cross-site scripting',
             'About',
             'administrator',
+            'activate_plugins',
             'prevent-xss-vulnerability-about',
             array( $this, 'about_xss' )

prevent-xss-vulnerability/tags/2.0.2/admin/class-prevent-xss-vulnerability-reflected-settings.php

-                      r2564460
+                      r3212153
                     <?php
                     esc_html_e(
                         'This Plugin Block/Remove the following Entities in the URL:',
+                        'This plugin blocks or removes the following entities from website URLs:',
                         'prevent-xss-vulnerability'
                     );
 …
                     <?php
                         esc_html_e(
                             'This Plugin Encodes the following Entities in the URL: ',
+                            'This plugin encodes the following entities within website URLs:',
                             'prevent-xss-vulnerability'
                         );
 …
+     *
      * @param string $enabled Whether the escape is enabled or not.
+     *
-     * @return void
      */
     private function get_escape_output( $enabled ) {
 …
                         <?php
                             esc_html_e(
+                                'It strips the HTML in $_GET variable in PHP. So, where ever the $_GET is used in either theme or plugin will get the escaped HTML. It prevents the XSS Attack using HTML and JS Events. If any plugin directly fetching the parameters from the URL without using $_GET variable will get the values without HTML escaped.',
+                                'This plugin strips HTML tags from the $_GET variable in PHP. Consequently, any part of your theme or plugin that utilizes $_GET to retrieve data from the URL will receive the HTML-escaped value. This effectively prevents XSS attacks that exploit HTML and JavaScript events.',
+                                'prevent-xss-vulnerability'
+                            );
+                        ?>
+                    </p>
+                    <p>
+                        <?php
+                            esc_html_e(
+                                'Important Note: If any plugin or custom code directly fetches URL parameters without using the $_GET variable, the retrieved values will not be HTML-escaped by this plugin.',
                                 'prevent-xss-vulnerability'
                             );
 …
     /**
      * Generate Refleccted page note HTML
+     * Generate Reflected page note HTML.
+     *
      * @access private
 …
                 <?php
                     esc_html_e(
                         'Reflected Cross-site Scripting (XSS) occur when an attacker injects browser executable code within a single HTTP response. You can read more about XSS from',
+                        'Reflected XSS occurs when malicious code is injected into a website\'s URL. This code can then be executed by a user\'s browser, potentially stealing information or compromising their system. For more information on XSS, please visit',
                         'prevent-xss-vulnerability'
                     );
 …
                     <?php
                     esc_html_e(
                         'After configuring the settings please check some pages randomly to verify that your site is working as expected.',
+                        'After configuring these settings, please thoroughly test your website by randomly navigating through different pages to ensure all functionalities are working as expected.',
                         'prevent-xss-vulnerability'
                     );
 …
                     <?php
                     esc_html_e(
                         'If you are using WooCommerce, then in that case it is highly recommended to go through with all the steps of the Product Purchase (Cart, Checkout etc) to make sure that your online store is working fine.',
+                        'If you are using WooCommerce, it is crucial to test the entire product purchase process, including cart, checkout, and order completion, to verify that the plugin does not interfere with any core functionalities of your online store.',
                         'prevent-xss-vulnerability'
                     );
 …
      * @access private
      * @since 1.0.0
+     *
-     * @return void
      */
     private function save_reflected_settings() {
 …
      * @access private
      * @since 0.1
+     *
-     * @return void
      */
     private function xss_reflected_settings() {
 …
             <h2>
             <?php
             esc_html_e( 'Reflected Cross-site scripting(XSS) Settings', 'prevent-xss-vulnerability' );
+            esc_html_e( 'Reflected Cross-site Scripting (XSS) Settings', 'prevent-xss-vulnerability' );
             ?>
             </h2>

prevent-xss-vulnerability/tags/2.0.2/admin/class-prevent-xss-vulnerability-self-settings.php

-                      r2564460
+                      r3212153
      * @access private
      * @since 1.0.0
+     *
-     * @return void
      */
     private function save_self_xss_settings() {
 …
      * @access private
      * @since 0.3.0
+     *
-     * @return void
      */
     private function self_xss_settings_page() {
         if ( ! current_user_can( 'administrator' ) ) {
+        if ( ! current_user_can( 'activate_plugins' ) ) {
             wp_die(
                 esc_html_e(
 …
         <div class="wrap">
             <h2>
+            <?php
+            esc_html_e( 'Self-XSS Settings', 'prevent-xss-vulnerability' );
+            ?>
+                <?php esc_html_e( 'Self-XSS Settings', 'prevent-xss-vulnerability' ); ?>
             </h2>
             <div>
+            <p>
+            <?php
+                esc_html_e( 'Self-XSS is a social engineering attack used to gain control of victims\' web accounts. In a self-XSS attack, the victim of the attack unknowingly runs malicious code in their own web browser, thus exposing it to the attacker.', 'prevent-xss-vulnerability' );
+            ?>
+            </p>
+                <p>
+                    <?php
+                    esc_html_e( 'Self-XSS is a type of security vulnerability where an attacker tricks a user into executing malicious code within their own web browser. This can occur through social engineering tactics, such as convincing the user to copy and paste malicious code into their browser\'s console.', 'prevent-xss-vulnerability' );
+                    ?>
+                </p>
+                <p>
+                    <?php
+                        esc_html_e( 'Here\'s a breakdown of how it works:', 'prevent-xss-vulnerability' );
+                    ?>
+                </p>
+                <ol>
+                    <li>
+                        <?php
+                        esc_html_e( 'Social Engineering: The attacker employs social engineering techniques (e.g., phishing, promises of rewards) to convince the victim to perform a specific action.', 'prevent-xss-vulnerability' );
+                        ?>
+                    </li>
+                    <li>
+                        <?php
+                        esc_html_e( 'Code Execution: The victim is tricked into executing the malicious code, often by pasting it into the browser\'s console or through other means.', 'prevent-xss-vulnerability' );
+                        ?>
+                    </li>
+                    <li>
+                        <?php
+                        esc_html_e( 'Compromised Browser: Once executed, the malicious code can potentially steal sensitive information, hijack user sessions, or spread malware.', 'prevent-xss-vulnerability' );
+                        ?>
+                    </li>
+                </ol>
+                <p>
+                    <?php
+                    esc_html_e( 'Self-XSS attacks exploit user trust and curiosity. It\'s crucial for users to be vigilant and avoid executing any code they don\'t fully understand or trust.', 'prevent-xss-vulnerability' );
+                    ?>
+                </p>
             </div>
             <form enctype="multipart/form-data" action="" method="POST" id="reflected-xss">
 …
                     <?php
                         esc_html_e(
                             'Add warning message when users open the web developer console. Leave empty to use default.',
+                            'Customize the warning message that appears in the console. Leave empty to use the default message.',
                             'prevent-xss-vulnerability'
                         );

prevent-xss-vulnerability/tags/2.0.2/changelog.txt

-                      r2772468
+                      r3212153
 This file contains only old changelog. See readme.txt for newer versions.
+= 2.0.0 - Jul 14, 21 =
+  * Bug
+    * [Unable to execute bulk actions of WooCommerce orders when this plugin is enabled](https://wordpress.org/support/topic/unable-to-execute-bulk-actions-of-woocommerce-orders-when-this-plugin-is-enabled/)
+    * [Bulk actions dont work (ie bulk delete pages, images)](https://wordpress.org/support/topic/bulk-actions-dont-work-ie-bulk-delete-pages-images/)
+    * [Facing conflict issue while perform bulk delete option on post](https://wordpress.org/support/topic/facing-conflict-issue-while-perform-bulk-delete-option-on-post/)
+  * Enhancements
+        * [Include other/extra parameters](https://github.com/samiahmedsiddiqui/prevent-xss-vulnerability/issues/3)
+        * Fixed WPCS issues
 = 1.0.0 - Aug 24, 20 =

prevent-xss-vulnerability/tags/2.0.2/includes/class-prevent-xss-vulnerability.php

r2772468	r3212153
19	19	* @var string
20	20	*/
21		public $version = '2.0.1';
	21	public $version = '2.0.2';
22	22
23	23	/**

prevent-xss-vulnerability/tags/2.0.2/prevent-xss-vulnerability.php

-                      r2772468
+                      r3212153
  * Plugin Name: Prevent XSS Vulnerability
  * Plugin URI: https://www.yasglobal.com/web-design-development/wordpress/prevent-xss-vulnerability/
+ * Description: Secure your site from the XSS Attack.
+ * Version: 2.0.1
+ * Description: This WordPress plugin enhances website security by preventing Cross-Site Scripting (XSS) vulnerabilities. It blocks and encodes malicious characters in URLs, escapes HTML in `$_GET` variables, and provides customizable settings for website owners.
+ * Version: 2.0.2
+ * Requires at least: 3.5
+ * Requires PHP: 5.6
  * Author: Sami Ahmed Siddiqui
  * Author URI: https://www.linkedin.com/in/sami-ahmed-siddiqui/
  * License: GPLv3
+ * License URI: https://www.gnu.org/licenses/gpl-3.0.html
+ *
  * Text Domain: prevent-xss-vulnerability
 …
 /**
  *  Prevent XSS Vulnerability - Secure your website from XSS Attacks
  *  Copyright (C) 2017-2021, Sami Ahmed Siddiqui <sami.siddiqui@yasglobal.com>
+ *  Prevent XSS Vulnerability - Secure your website from XSS Attacks.
+ *  Copyright (C) 2017-2024, Sami Ahmed Siddiqui <sami.siddiqui@yasglobal.com>
+ *
  *  This program is free software: you can redistribute it and/or modify

prevent-xss-vulnerability/tags/2.0.2/readme.txt

-                      r3109212
+                      r3212153
 === Prevent XSS Vulnerability ===
 Contributors: sasiddiqui
 Tags: attack, cross-site scripting, security, vulnerability, xss, self-xss
+Tags: attack, cross-site scripting, security, vulnerability, xss
 Requires at least: 3.5
 Tested up to: 6.5
 Stable tag: 2.0.1
+Tested up to: 6.7
+Stable tag: 2.0.2
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
+This WordPress plugin enhances website security by preventing Cross-Site Scripting (XSS) vulnerabilities. It blocks and encodes malicious characters in URLs, escapes HTML in `$_GET` variables, and provides customizable settings for website owners.
 == Description ==
 This plugin provides the functionality for `Reflected XSS` and `Self-XSS`.
+This plugin helps safeguard your website against two common types of Cross-Site Scripting (XSS) vulnerabilities:
+For Reflected XSS, it checks the URL and redirects it if you enabled the `Enable Blocking` option and URL contains any Vulnerable code in it. It only block some parameters which are not allowed in URL and shown Block Parameters section. You can skip some of the parameters from it if you still like them to be used.
+* **Reflected XSS:** In Reflected XSS, malicious scripts are injected into the URL of a website. When a user clicks on a link containing this malicious script, it can be executed on their browser, potentially stealing their information or compromising their system.
+* **Self-XSS:** This occurs when a user's own input on the website is reflected back to them in an insecure manner, allowing malicious scripts to be executed in their browser.
 To provide more security, this plugin also escape the HTML in the `$_GET` parameter which is commonly used to get parameters in PHP from the URL and print them in the HTML. This way, HTML properties will not work if anyone provided it in the URL.
+This plugin provides several layers of protection:
+There are many ways by which the plugin can be tested but it may varies for different sites according to their structure and development functionality.
+=== Block Parameters ===
+This plugin block the following parameters in the URL if enabled from the Plugin Settings page.
+**Blocking:** When enabled, the plugin scans URLs for specific parameters. If any of the listed parameters are found in the URL, the plugin redirects the user to prevent potential XSS attacks. You can customize the list by excluding specific parameters you still want to allow.
 * Opening Round Bracket `(`
 …
 * Closing Curly Bracket `}`
+You can exclude any of the pre-defined parameter(s) or include any other parameter(s) from the Plugin Settings page.
+=== Encode Parameters ===
+This plugin encode the following parameters in the URL if enabled from the Plugin Settings page.
+**Encoding:** For additional security, the plugin encodes certain characters within the URL parameters. This prevents malicious code from being executed even if it's included in the URL. You can also exclude specific parameters from being encoded.
 * Exclamation Mark `!`
 …
 * Closing Curly Bracket `}`
 You can exclude any of the pre-defined parameter(s) to being encoded from the Plugin Settings page.
+**Escaping HTML in `$_GET`:** This plugin automatically escapes HTML characters within the `$_GET` variable. This is crucial if your website retrieves data from URLs and displays it in the HTML content. This helps prevent malicious scripts from being injected through user-controlled input.
 === Escape HTML in `$_GET` Variable ===
+=== Important Notes: ===
+This plugin escape HTML  in `$_GET` variable. `$_GET` variable is mostly used to put the values in HTML from the URL. This Check is quite useful if your site using/getting anything from the URL and printing it in HTML. It secures your Search and other sections as per your site functionality.
+* After activating the plugin, thoroughly test your website forms, especially if you use WooCommerce. Ensure the plugin doesn't disrupt your cart and checkout processes.
+* Bug reports for this plugin are welcome on GitHub: [https://github.com/samiahmedsiddiqui/prevent-xss-vulnerability/issues](). Please note that GitHub is not a support forum, and only genuine bug reports will be addressed.
+> NOTE: Make sure to check your forms after activating the plugin and if you have woocommerce site then please also check the cart and checkout process.
+=== Bug reports ===
+Bug reports for `Prevent XSS Vulnerability` are [welcomed on GitHub](https://github.com/yasglobal/prevent-xss-vulnerability). Please note GitHub is not a support forum, and issues that aren't properly qualified as bugs will be closed.
+By implementing this plugin and following the recommendations, you can significantly enhance your website's security against XSS attacks.
 == Installation ==
 …
 = Q. Why should I install this plugin? =
+A. Installing this plugin is the easiest way to prevent your site from XSS Vulnerability.
+A. Installing this plugin is the easiest way to protect your site from XSS Vulnerabilities.
 = Q. Does this plugin escape HTML in printing search? =
-A. Yes, this plugin escape HTML in `$_GET` variable which is mostly use to print the data from the URL to HTML. If your site is using `$_GET` then it is safe and the HTML will be escaped otherwise you need to check.
+= Q. Does this plugin has any conflict with any other plugin? =
+A. No, this plugin doesn't have any conflict with any plugin.
+A. Yes, this plugin escapes HTML in `$_GET` variable, which is commonly used to print data from the URL to HTML. However, if your site relies heavily on `$_GET` for other purposes, you may need to conduct thorough testing to ensure compatibility.
+= Q. Does this plugin have any conflict with any other plugin? =
+A. While no major conflicts have been reported, it's always a good practice to test your website thoroughly after installing any new plugin.
 == Changelog ==
+= 2.0.2 - Dec 23, 24 =
+Fix minor WPCS issues and change text for better understanding.
 = 2.0.1 - Aug 19, 22 =
 …
     * [Please fix Notices for use in WP_DEBUG mode](https://wordpress.org/support/topic/please-fix-notices-for-use-in-wp_debug-mode/)
-= 2.0.0 - Jul 14, 21 =
-  * Bug
-    * [Unable to execute bulk actions of WooCommerce orders when this plugin is enabled](https://wordpress.org/support/topic/unable-to-execute-bulk-actions-of-woocommerce-orders-when-this-plugin-is-enabled/)
-    * [Bulk actions dont work (ie bulk delete pages, images)](https://wordpress.org/support/topic/bulk-actions-dont-work-ie-bulk-delete-pages-images/)
-    * [Facing conflict issue while perform bulk delete option on post](https://wordpress.org/support/topic/facing-conflict-issue-while-perform-bulk-delete-option-on-post/)
-  * Enhancements
-        * [Include other/extra parameters](https://github.com/samiahmedsiddiqui/prevent-xss-vulnerability/issues/3)
-        * Fixed WPCS issues
 = Earlier versions =

prevent-xss-vulnerability/trunk/admin/class-prevent-xss-vulnerability-admin.php

-                      r2564460
+                      r3212153
             'Prevent XSS Vulnerability',
             'Prevent XSS Vulnerability',
             'administrator',
+            'activate_plugins',
             'prevent-xss-vulnerability-reflected-settings',
             array( $this, 'reflected_settings' ),
 …
             'Reflected Cross-site scripting Settings',
             'Reflected XSS',
             'administrator',
+            'activate_plugins',
             'prevent-xss-vulnerability-reflected-settings',
             array( $this, 'reflected_settings' )
 …
             'Self Cross-site scripting Settings',
             'Self-XSS',
             'administrator',
+            'activate_plugins',
             'prevent-xss-vulnerability-self-settings',
             array( $this, 'self_xss_settings' )
 …
             'About Cross-site scripting',
             'About',
             'administrator',
+            'activate_plugins',
             'prevent-xss-vulnerability-about',
             array( $this, 'about_xss' )

prevent-xss-vulnerability/trunk/admin/class-prevent-xss-vulnerability-reflected-settings.php

-                      r2564460
+                      r3212153
                     <?php
                     esc_html_e(
                         'This Plugin Block/Remove the following Entities in the URL:',
+                        'This plugin blocks or removes the following entities from website URLs:',
                         'prevent-xss-vulnerability'
                     );
 …
                     <?php
                         esc_html_e(
                             'This Plugin Encodes the following Entities in the URL: ',
+                            'This plugin encodes the following entities within website URLs:',
                             'prevent-xss-vulnerability'
                         );
 …
+     *
      * @param string $enabled Whether the escape is enabled or not.
+     *
-     * @return void
      */
     private function get_escape_output( $enabled ) {
 …
                         <?php
                             esc_html_e(
+                                'It strips the HTML in $_GET variable in PHP. So, where ever the $_GET is used in either theme or plugin will get the escaped HTML. It prevents the XSS Attack using HTML and JS Events. If any plugin directly fetching the parameters from the URL without using $_GET variable will get the values without HTML escaped.',
+                                'This plugin strips HTML tags from the $_GET variable in PHP. Consequently, any part of your theme or plugin that utilizes $_GET to retrieve data from the URL will receive the HTML-escaped value. This effectively prevents XSS attacks that exploit HTML and JavaScript events.',
+                                'prevent-xss-vulnerability'
+                            );
+                        ?>
+                    </p>
+                    <p>
+                        <?php
+                            esc_html_e(
+                                'Important Note: If any plugin or custom code directly fetches URL parameters without using the $_GET variable, the retrieved values will not be HTML-escaped by this plugin.',
                                 'prevent-xss-vulnerability'
                             );
 …
     /**
      * Generate Refleccted page note HTML
+     * Generate Reflected page note HTML.
+     *
      * @access private
 …
                 <?php
                     esc_html_e(
                         'Reflected Cross-site Scripting (XSS) occur when an attacker injects browser executable code within a single HTTP response. You can read more about XSS from',
+                        'Reflected XSS occurs when malicious code is injected into a website\'s URL. This code can then be executed by a user\'s browser, potentially stealing information or compromising their system. For more information on XSS, please visit',
                         'prevent-xss-vulnerability'
                     );
 …
                     <?php
                     esc_html_e(
                         'After configuring the settings please check some pages randomly to verify that your site is working as expected.',
+                        'After configuring these settings, please thoroughly test your website by randomly navigating through different pages to ensure all functionalities are working as expected.',
                         'prevent-xss-vulnerability'
                     );
 …
                     <?php
                     esc_html_e(
                         'If you are using WooCommerce, then in that case it is highly recommended to go through with all the steps of the Product Purchase (Cart, Checkout etc) to make sure that your online store is working fine.',
+                        'If you are using WooCommerce, it is crucial to test the entire product purchase process, including cart, checkout, and order completion, to verify that the plugin does not interfere with any core functionalities of your online store.',
                         'prevent-xss-vulnerability'
                     );
 …
      * @access private
      * @since 1.0.0
+     *
-     * @return void
      */
     private function save_reflected_settings() {
 …
      * @access private
      * @since 0.1
+     *
-     * @return void
      */
     private function xss_reflected_settings() {
 …
             <h2>
             <?php
             esc_html_e( 'Reflected Cross-site scripting(XSS) Settings', 'prevent-xss-vulnerability' );
+            esc_html_e( 'Reflected Cross-site Scripting (XSS) Settings', 'prevent-xss-vulnerability' );
             ?>
             </h2>

prevent-xss-vulnerability/trunk/admin/class-prevent-xss-vulnerability-self-settings.php

-                      r2564460
+                      r3212153
      * @access private
      * @since 1.0.0
+     *
-     * @return void
      */
     private function save_self_xss_settings() {
 …
      * @access private
      * @since 0.3.0
+     *
-     * @return void
      */
     private function self_xss_settings_page() {
         if ( ! current_user_can( 'administrator' ) ) {
+        if ( ! current_user_can( 'activate_plugins' ) ) {
             wp_die(
                 esc_html_e(
 …
         <div class="wrap">
             <h2>
+            <?php
+            esc_html_e( 'Self-XSS Settings', 'prevent-xss-vulnerability' );
+            ?>
+                <?php esc_html_e( 'Self-XSS Settings', 'prevent-xss-vulnerability' ); ?>
             </h2>
             <div>
+            <p>
+            <?php
+                esc_html_e( 'Self-XSS is a social engineering attack used to gain control of victims\' web accounts. In a self-XSS attack, the victim of the attack unknowingly runs malicious code in their own web browser, thus exposing it to the attacker.', 'prevent-xss-vulnerability' );
+            ?>
+            </p>
+                <p>
+                    <?php
+                    esc_html_e( 'Self-XSS is a type of security vulnerability where an attacker tricks a user into executing malicious code within their own web browser. This can occur through social engineering tactics, such as convincing the user to copy and paste malicious code into their browser\'s console.', 'prevent-xss-vulnerability' );
+                    ?>
+                </p>
+                <p>
+                    <?php
+                        esc_html_e( 'Here\'s a breakdown of how it works:', 'prevent-xss-vulnerability' );
+                    ?>
+                </p>
+                <ol>
+                    <li>
+                        <?php
+                        esc_html_e( 'Social Engineering: The attacker employs social engineering techniques (e.g., phishing, promises of rewards) to convince the victim to perform a specific action.', 'prevent-xss-vulnerability' );
+                        ?>
+                    </li>
+                    <li>
+                        <?php
+                        esc_html_e( 'Code Execution: The victim is tricked into executing the malicious code, often by pasting it into the browser\'s console or through other means.', 'prevent-xss-vulnerability' );
+                        ?>
+                    </li>
+                    <li>
+                        <?php
+                        esc_html_e( 'Compromised Browser: Once executed, the malicious code can potentially steal sensitive information, hijack user sessions, or spread malware.', 'prevent-xss-vulnerability' );
+                        ?>
+                    </li>
+                </ol>
+                <p>
+                    <?php
+                    esc_html_e( 'Self-XSS attacks exploit user trust and curiosity. It\'s crucial for users to be vigilant and avoid executing any code they don\'t fully understand or trust.', 'prevent-xss-vulnerability' );
+                    ?>
+                </p>
             </div>
             <form enctype="multipart/form-data" action="" method="POST" id="reflected-xss">
 …
                     <?php
                         esc_html_e(
                             'Add warning message when users open the web developer console. Leave empty to use default.',
+                            'Customize the warning message that appears in the console. Leave empty to use the default message.',
                             'prevent-xss-vulnerability'
                         );

prevent-xss-vulnerability/trunk/changelog.txt

-                      r2772468
+                      r3212153
 This file contains only old changelog. See readme.txt for newer versions.
+= 2.0.0 - Jul 14, 21 =
+  * Bug
+    * [Unable to execute bulk actions of WooCommerce orders when this plugin is enabled](https://wordpress.org/support/topic/unable-to-execute-bulk-actions-of-woocommerce-orders-when-this-plugin-is-enabled/)
+    * [Bulk actions dont work (ie bulk delete pages, images)](https://wordpress.org/support/topic/bulk-actions-dont-work-ie-bulk-delete-pages-images/)
+    * [Facing conflict issue while perform bulk delete option on post](https://wordpress.org/support/topic/facing-conflict-issue-while-perform-bulk-delete-option-on-post/)
+  * Enhancements
+        * [Include other/extra parameters](https://github.com/samiahmedsiddiqui/prevent-xss-vulnerability/issues/3)
+        * Fixed WPCS issues
 = 1.0.0 - Aug 24, 20 =

prevent-xss-vulnerability/trunk/includes/class-prevent-xss-vulnerability.php

r2772468	r3212153
19	19	* @var string
20	20	*/
21		public $version = '2.0.1';
	21	public $version = '2.0.2';
22	22
23	23	/**

prevent-xss-vulnerability/trunk/prevent-xss-vulnerability.php

-                      r2772468
+                      r3212153
  * Plugin Name: Prevent XSS Vulnerability
  * Plugin URI: https://www.yasglobal.com/web-design-development/wordpress/prevent-xss-vulnerability/
+ * Description: Secure your site from the XSS Attack.
+ * Version: 2.0.1
+ * Description: This WordPress plugin enhances website security by preventing Cross-Site Scripting (XSS) vulnerabilities. It blocks and encodes malicious characters in URLs, escapes HTML in `$_GET` variables, and provides customizable settings for website owners.
+ * Version: 2.0.2
+ * Requires at least: 3.5
+ * Requires PHP: 5.6
  * Author: Sami Ahmed Siddiqui
  * Author URI: https://www.linkedin.com/in/sami-ahmed-siddiqui/
  * License: GPLv3
+ * License URI: https://www.gnu.org/licenses/gpl-3.0.html
+ *
  * Text Domain: prevent-xss-vulnerability
 …
 /**
  *  Prevent XSS Vulnerability - Secure your website from XSS Attacks
  *  Copyright (C) 2017-2021, Sami Ahmed Siddiqui <sami.siddiqui@yasglobal.com>
+ *  Prevent XSS Vulnerability - Secure your website from XSS Attacks.
+ *  Copyright (C) 2017-2024, Sami Ahmed Siddiqui <sami.siddiqui@yasglobal.com>
+ *
  *  This program is free software: you can redistribute it and/or modify

prevent-xss-vulnerability/trunk/readme.txt

-                      r3109212
+                      r3212153
 === Prevent XSS Vulnerability ===
 Contributors: sasiddiqui
 Tags: attack, cross-site scripting, security, vulnerability, xss, self-xss
+Tags: attack, cross-site scripting, security, vulnerability, xss
 Requires at least: 3.5
 Tested up to: 6.5
 Stable tag: 2.0.1
+Tested up to: 6.7
+Stable tag: 2.0.2
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
+This WordPress plugin enhances website security by preventing Cross-Site Scripting (XSS) vulnerabilities. It blocks and encodes malicious characters in URLs, escapes HTML in `$_GET` variables, and provides customizable settings for website owners.
 == Description ==
 This plugin provides the functionality for `Reflected XSS` and `Self-XSS`.
+This plugin helps safeguard your website against two common types of Cross-Site Scripting (XSS) vulnerabilities:
+For Reflected XSS, it checks the URL and redirects it if you enabled the `Enable Blocking` option and URL contains any Vulnerable code in it. It only block some parameters which are not allowed in URL and shown Block Parameters section. You can skip some of the parameters from it if you still like them to be used.
+* **Reflected XSS:** In Reflected XSS, malicious scripts are injected into the URL of a website. When a user clicks on a link containing this malicious script, it can be executed on their browser, potentially stealing their information or compromising their system.
+* **Self-XSS:** This occurs when a user's own input on the website is reflected back to them in an insecure manner, allowing malicious scripts to be executed in their browser.
 To provide more security, this plugin also escape the HTML in the `$_GET` parameter which is commonly used to get parameters in PHP from the URL and print them in the HTML. This way, HTML properties will not work if anyone provided it in the URL.
+This plugin provides several layers of protection:
+There are many ways by which the plugin can be tested but it may varies for different sites according to their structure and development functionality.
+=== Block Parameters ===
+This plugin block the following parameters in the URL if enabled from the Plugin Settings page.
+**Blocking:** When enabled, the plugin scans URLs for specific parameters. If any of the listed parameters are found in the URL, the plugin redirects the user to prevent potential XSS attacks. You can customize the list by excluding specific parameters you still want to allow.
 * Opening Round Bracket `(`
 …
 * Closing Curly Bracket `}`
+You can exclude any of the pre-defined parameter(s) or include any other parameter(s) from the Plugin Settings page.
+=== Encode Parameters ===
+This plugin encode the following parameters in the URL if enabled from the Plugin Settings page.
+**Encoding:** For additional security, the plugin encodes certain characters within the URL parameters. This prevents malicious code from being executed even if it's included in the URL. You can also exclude specific parameters from being encoded.
 * Exclamation Mark `!`
 …
 * Closing Curly Bracket `}`
 You can exclude any of the pre-defined parameter(s) to being encoded from the Plugin Settings page.
+**Escaping HTML in `$_GET`:** This plugin automatically escapes HTML characters within the `$_GET` variable. This is crucial if your website retrieves data from URLs and displays it in the HTML content. This helps prevent malicious scripts from being injected through user-controlled input.
 === Escape HTML in `$_GET` Variable ===
+=== Important Notes: ===
+This plugin escape HTML  in `$_GET` variable. `$_GET` variable is mostly used to put the values in HTML from the URL. This Check is quite useful if your site using/getting anything from the URL and printing it in HTML. It secures your Search and other sections as per your site functionality.
+* After activating the plugin, thoroughly test your website forms, especially if you use WooCommerce. Ensure the plugin doesn't disrupt your cart and checkout processes.
+* Bug reports for this plugin are welcome on GitHub: [https://github.com/samiahmedsiddiqui/prevent-xss-vulnerability/issues](). Please note that GitHub is not a support forum, and only genuine bug reports will be addressed.
+> NOTE: Make sure to check your forms after activating the plugin and if you have woocommerce site then please also check the cart and checkout process.
+=== Bug reports ===
+Bug reports for `Prevent XSS Vulnerability` are [welcomed on GitHub](https://github.com/yasglobal/prevent-xss-vulnerability). Please note GitHub is not a support forum, and issues that aren't properly qualified as bugs will be closed.
+By implementing this plugin and following the recommendations, you can significantly enhance your website's security against XSS attacks.
 == Installation ==
 …
 = Q. Why should I install this plugin? =
+A. Installing this plugin is the easiest way to prevent your site from XSS Vulnerability.
+A. Installing this plugin is the easiest way to protect your site from XSS Vulnerabilities.
 = Q. Does this plugin escape HTML in printing search? =
-A. Yes, this plugin escape HTML in `$_GET` variable which is mostly use to print the data from the URL to HTML. If your site is using `$_GET` then it is safe and the HTML will be escaped otherwise you need to check.
+= Q. Does this plugin has any conflict with any other plugin? =
+A. No, this plugin doesn't have any conflict with any plugin.
+A. Yes, this plugin escapes HTML in `$_GET` variable, which is commonly used to print data from the URL to HTML. However, if your site relies heavily on `$_GET` for other purposes, you may need to conduct thorough testing to ensure compatibility.
+= Q. Does this plugin have any conflict with any other plugin? =
+A. While no major conflicts have been reported, it's always a good practice to test your website thoroughly after installing any new plugin.
 == Changelog ==
+= 2.0.2 - Dec 23, 24 =
+Fix minor WPCS issues and change text for better understanding.
 = 2.0.1 - Aug 19, 22 =
 …
     * [Please fix Notices for use in WP_DEBUG mode](https://wordpress.org/support/topic/please-fix-notices-for-use-in-wp_debug-mode/)
-= 2.0.0 - Jul 14, 21 =
-  * Bug
-    * [Unable to execute bulk actions of WooCommerce orders when this plugin is enabled](https://wordpress.org/support/topic/unable-to-execute-bulk-actions-of-woocommerce-orders-when-this-plugin-is-enabled/)
-    * [Bulk actions dont work (ie bulk delete pages, images)](https://wordpress.org/support/topic/bulk-actions-dont-work-ie-bulk-delete-pages-images/)
-    * [Facing conflict issue while perform bulk delete option on post](https://wordpress.org/support/topic/facing-conflict-issue-while-perform-bulk-delete-option-on-post/)
-  * Enhancements
-        * [Include other/extra parameters](https://github.com/samiahmedsiddiqui/prevent-xss-vulnerability/issues/3)
-        * Fixed WPCS issues
 = Earlier versions =

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory

Context Navigation

Changeset 3212153

Legend:

prevent-xss-vulnerability/tags/2.0.2/admin/class-prevent-xss-vulnerability-admin.php

prevent-xss-vulnerability/tags/2.0.2/admin/class-prevent-xss-vulnerability-reflected-settings.php

prevent-xss-vulnerability/tags/2.0.2/admin/class-prevent-xss-vulnerability-self-settings.php

prevent-xss-vulnerability/tags/2.0.2/changelog.txt

prevent-xss-vulnerability/tags/2.0.2/includes/class-prevent-xss-vulnerability.php

prevent-xss-vulnerability/tags/2.0.2/prevent-xss-vulnerability.php

prevent-xss-vulnerability/tags/2.0.2/readme.txt

prevent-xss-vulnerability/trunk/admin/class-prevent-xss-vulnerability-admin.php

prevent-xss-vulnerability/trunk/admin/class-prevent-xss-vulnerability-reflected-settings.php

prevent-xss-vulnerability/trunk/admin/class-prevent-xss-vulnerability-self-settings.php

prevent-xss-vulnerability/trunk/changelog.txt

prevent-xss-vulnerability/trunk/includes/class-prevent-xss-vulnerability.php

prevent-xss-vulnerability/trunk/prevent-xss-vulnerability.php

prevent-xss-vulnerability/trunk/readme.txt

Download in other formats: