Any form posting all data into cookies (security risk)
Closed this issue · 7 comments
Hey!
So it would appear as though Super Cat is using cookies to submit all the data that is sent in forms. This is a fairly large security risk for starters, and more importantly the module should probably only set headers for pages and forms that are actually registered with Super Cat.
I discovered this while using the admin form for WP Rocket and finding that I was receiving HTTP 413 errors. This was because when submitting the configuration Super Cat was taking all the form details and posting that to cookies. Eeek!
Can we try and resolve this together perhaps?
This function has been disabled some commit ago. Just update!
Cheers.
Actually, I am not certain which you are referring to (function wise) but you are still including https://site.com/wp-content/plugins/elementor-super-cat/assets/js/generic.js?ver=5.3
This is the culprit that I am referring to that gobbles all post content. I //am// using the latest version but am still seeing this function being added to the header, which in turn obviously makes it be called... I don't mind helping to trouble shoot it as I have helped provide patches before... I just don't want to close this in haste.
Can you reopen the issue?
Further debugging I can see that you are still actually still registering the culprit here
elementor-super-cat/plugin.php
Line 119 in 3f19ca2
elementor-super-cat/plugin.php
Line 120 in 3f19ca2
Therefore, it is still going to run as a registration and enqueue still means that it is added to the queue.
It is, but the js is empty (commented out, rn)
https://github.com/dettogatto/elementor-super-cat/blob/master/assets/js/generic.js
Ok! I can see that now. Wouldn't it be better just to completely remove it since you are essentially enqueue a file that is supposedly empty and technically downloaded (which effects Google Pagespeed).
I couldn't see that it was empty I believe because I couldn't clear the cache due to it being there before.. but can confirm in the latest update all is good besides my point above about completely removing it.
I double checked this again and actually because you enqueue the file it still gets sent. This is less of a security risk and more of an issue related to speed I think. Is there any reason you don't want to remove it?