Fix. SFW. Modules die pages fixed.#820
Conversation
Codecov Report❌ Patch coverage is ❌ Your patch check has failed because the patch coverage (17.85%) is below the target coverage (70.00%). You can increase the patch coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## dev #820 +/- ##
=========================================
Coverage 26.68% 26.68%
Complexity 5683 5683
=========================================
Files 270 270
Lines 24258 24258
=========================================
Hits 6473 6473
Misses 17785 17785 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR updates the Firewall “die page” rendering logic to better escape dynamic values inserted into HTML templates, aiming to prevent unsafe output and fix die-page related issues across SFW/AntiFlood/AntiCrawler modules.
Changes:
- Escapes several user-/request-derived placeholders (IP, request URI, service ID, debug dumps) before injecting them into die-page templates.
- Adjusts request URI retrieval in AntiFlood to use
Server::getString('REQUEST_URI'). - Adds/extends escaping in debug output sections.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 10 comments.
| File | Description |
|---|---|
| lib/Cleantalk/ApbctWP/Firewall/SFW.php | Adds escaping for multiple die-page placeholders and debug output. |
| lib/Cleantalk/ApbctWP/Firewall/AntiFlood.php | Escapes die-page placeholders and uses Server::getString() for REQUEST_URI. |
| lib/Cleantalk/ApbctWP/Firewall/AntiCrawler.php | Escapes die-page placeholders and tightens escaping around debug output. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| '{CLEANTALK_URL}' => $apbct->data['wl_url'], | ||
| '{REMOTE_ADDRESS}' => $result['ip'], | ||
| '{SERVICE_ID}' => $apbct->data['service_id'] . ', ' . $net_count, | ||
| '{CLEANTALK_URL}' => esc_html($apbct->data['wl_url']), |
| '{HOST}' => get_home_url() . ', ' . APBCT_VERSION, | ||
| '{GENERATED}' => '<p>The page was generated at ' . date('D, d M Y H:i:s') . '</p>', | ||
| '{REQUEST_URI}' => $request_uri, | ||
| '{REQUEST_URI}' => esc_html($request_uri), |
| '{TEST_IP}' => '', | ||
| '{REAL_IP}' => '', | ||
| '{SCRIPT_URL}' => $js_url, | ||
| '{SCRIPT_URL}' => esc_html($js_url), |
|
|
||
| // Custom Logo | ||
| '{CUSTOM_LOGO}' => $custom_logo_img | ||
| '{CUSTOM_LOGO}' => esc_attr($custom_logo_img) |
| $debug = '<h1>Headers</h1>' | ||
| . var_export(apache_request_headers(), true) | ||
| . '<h1>REMOTE_ADDR</h1>' |
| '{REQUEST_URI}' => Server::get('REQUEST_URI'), | ||
| '{SERVICE_ID}' => $this->apbct->data['service_id'] . ', ' . $net_count, | ||
| '{CLEANTALK_TITLE}' => esc_html($apbct->data['wl_brandname']), | ||
| '{CLEANTALK_URL}' => esc_html($apbct->data['wl_url']), |
| '{GENERATED}' => '<p>The page was generated at ' . date('D, d M Y H:i:s') . "</p>", | ||
| '{COOKIE_ANTIFLOOD_PASSED}' => md5($result['ip'] . $this->api_key), | ||
| '{SCRIPT_URL}' => $js_url, | ||
| '{SCRIPT_URL}' => esc_html($js_url), |
| '{REMOTE_ADDRESS}' => $ip, | ||
| '{SERVICE_ID}' => $this->apbct->data['service_id'] . ', ' . $net_count, | ||
| '{CLEANTALK_TITLE}' => esc_html($apbct->data['wl_brandname']), | ||
| '{CLEANTALK_URL}' => esc_html($apbct->data['wl_url']), |
| '{COOKIE_ANTICRAWLER_PASSED}' => '1', | ||
| '{GENERATED}' => '<p>The page was generated at ' . date('D, d M Y H:i:s') . "</p>", | ||
| '{SCRIPT_URL}' => $js_url, | ||
| '{SCRIPT_URL}' => esc_html($js_url), |
| $debug = '<h1>Headers</h1>' | ||
| . str_replace("\n", "<br>", print_r(\apache_request_headers(), true)) | ||
| . '<h1>$_SERVER</h1>' | ||
| . str_replace("\n", "<br>", print_r($_SERVER, true)) | ||
| . '<h1>AC_LOG_RESULT</h1>' |
https://app.doboard.com/1/task/52032