Fix. ContactEncoder. Edits made in the shortcode omitted from encoding#815
Open
AntonV1211 wants to merge 1 commit into
Open
Fix. ContactEncoder. Edits made in the shortcode omitted from encoding#815AntonV1211 wants to merge 1 commit into
AntonV1211 wants to merge 1 commit into
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## dev #815 +/- ##
============================================
+ Coverage 26.46% 26.53% +0.06%
- Complexity 5667 5677 +10
============================================
Files 269 269
Lines 24240 24264 +24
============================================
+ Hits 6416 6439 +23
- Misses 17824 17825 +1 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
AntonV1211
requested review from
Glomberg,
alexander-b-clean,
alexandergull and
svfcode
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the ContactsEncoder “skip encoding” shortcode handling to reduce XSS risk during shortcode decoding and to avoid processing shortcodes that appear inside HTML tag/attribute contexts.
Changes:
- Sanitizes shortcode callback output (escape decoded value; sanitize fallback HTML).
- Skips
changeContentAfterEncoderModify()processing when the shortcode appears inside an HTML tag/attribute context. - Adds PHPUnit coverage for sanitization behavior and for detecting shortcode offsets inside/outside HTML tags.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
lib/Cleantalk/ApbctWP/ContactsEncoder/Shortcodes/ExcludedEncodeContentSC.php |
Escapes decoded output, sanitizes fallback output, and adds HTML-tag-context detection to avoid unsafe processing. |
tests/ApbctWP/ContactsEncoder/Shortcodes/ExcludedEncodeContentSCTest.php |
Adds teardown cleanup plus tests for sanitization and HTML-tag-context detection/skip behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| return $content; | ||
| } | ||
|
|
||
| $pattern = '/\[apbct_skip_encoding\](.*?)\[\/apbct_skip_encoding\]/s'; |
Comment on lines
+131
to
+140
| public function isOffsetInsideHtmlTag($content, $offset) | ||
| { | ||
| $before = substr($content, 0, $offset); | ||
|
|
||
| $last_open = strrpos($before, '<'); | ||
| $last_close = strrpos($before, '>'); | ||
|
|
||
| return $last_open !== false && | ||
| ($last_close === false || $last_open > $last_close); | ||
| } |
Comment on lines
+86
to
+96
| /** | ||
| * Checks whether any shortcode occurrence is located inside an HTML tag. | ||
| * | ||
| * This validation prevents shortcode processing from HTML attribute contexts | ||
| * which could lead to attribute injection or mutation-XSS issues. | ||
| * | ||
| * @param string $content The content to validate. | ||
| * @return bool True if any shortcode boundary is detected inside an HTML tag. | ||
| */ | ||
| protected function isShortcodeInsideHtmlTag($content) | ||
| { |
Comment on lines
+284
to
+294
| /** | ||
| * Test that decoded email with HTML entities is properly escaped | ||
| */ | ||
| public function testCallbackEscapesDecodedDataWithHtmlChars(): void | ||
| { | ||
| // Test with content that has HTML special chars in a non-encoded context | ||
| $content = '<span data-original-string="nonexistent_encoded_data">test</span>'; | ||
| $result = $this->exclude_content_sc->callback([], $content, ''); | ||
| // Even if decoding fails, fallback should be sanitized | ||
| $this->assertStringNotContainsString('<script>', $result); | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://app.doboard.com/1/task/49320