Merge pull request #21 from MindscapeHQ/fix-xss-vulnerabilities

## Fix XSS vulnerabilities ### Updates - Replace the iframe on the dashboard page with a button link to the dashboard - Replace backurl in send test error link query string with a hard link back to the settings page - Add validation to determine whether the Send test error button is enabled on the settings page - Fix unencoded ampersands in the about page template
MindscapeHQ · Oct 4, 2017 · d260edc · d260edc
2 parents 27d574b + 87b7b10
commit d260edc
Show file tree

Hide file tree

Showing 9 changed files with 50 additions and 49 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+.DS_Store
diff --git a/README.md b/README.md
@@ -95,6 +95,7 @@ Finally, if you so desire you should be able to visit the root network site, act
 Changelog
 ---------
 
+- 1.8.3: Fix XSS vulnerability in settings; Replace the iframe with a link to the Raygun dashboard
 - 1.8.2: Bump Raygun4JS version to v2.6.2
 - 1.8.1: XSS bug fix
 - 1.8.0: Bump Raygun4JS dependency to v2.4.0; Bump Raygun4PHP dependency to v1.7.0; Pulse support added; Raygun4JS also includes the unique user tracking feature; Restructured the settings screen; JavaScript error tagging option added; Fixed an issue where the Send Test Error page wouldn't display results; Various content and style updates; Updated notifications; Raygun4JS tracks the version Wordpress being used; Unique user tracking also tracks the users first & last names

diff --git a/about.php b/about.php
@@ -12,7 +12,7 @@
 
         <p class="rg4wp-text">Raygun provides deep diagnostic information about the root cause of every error or crash, meaning your team won't be losing valuable time trying to reproduce issues or digging through log files. Ensure issue management and resolution is part of your team’s everyday workflow within Raygun's error and crash reporting software.</p>
 
-        <a class="rg4wp-button rg4wp-no-select rg4wp-button--crash" href="https://raygun.com/products/crash-reporting?utm_source=link&utm_medium=text&utm_campaign=wp-plugin-about">Learn More</a>
+        <a class="rg4wp-button rg4wp-no-select rg4wp-button--crash" href="https://raygun.com/products/crash-reporting?utm_source=link&amp;utm_medium=text&amp;utm_campaign=wp-plugin-about">Learn More</a>
       </div>
     </div>
 
@@ -24,7 +24,7 @@
 
         <p class="rg4wp-text">View searchable, specific user sessions to pinpoint where they encountered issues and discover fundamental bottlenecks that affect your typical end user experience. Ensure your website delivers a flawless user experience for each and every one of your customers.</p>
 
-        <a class="rg4wp-button rg4wp-no-select rg4wp-button--pulse" href="https://raygun.com/products/real-user-monitoring-websites?utm_source=link&utm_medium=text&utm_campaign=wp-plugin-about">Learn More</a>
+        <a class="rg4wp-button rg4wp-no-select rg4wp-button--pulse" href="https://raygun.com/products/real-user-monitoring-websites?utm_source=link&amp;utm_medium=text&amp;utm_campaign=wp-plugin-about">Learn More</a>
       </div>
     </div>
 
@@ -35,7 +35,7 @@
     <h2 class="rg4wp-title">Get Started Today</h2>
 
     <ol>
-      <li><a href="https://app.raygun.com/signup?utm_source=link&utm_medium=text&utm_campaign=wp-plugin-setup" target="_blank">Create a Raygun account</a></li>
+      <li><a href="https://app.raygun.com/signup?utm_source=link&amp;utm_medium=text&amp;utm_campaign=wp-plugin-setup" target="_blank">Create a Raygun account</a></li>
       <li>Go to the <a href="http://app.raygun.com/dashboard" target="_blank">Raygun dashboard</a> and create a new application. <span class="rg4wp-helptip">This represents your website</span></li>
       <li>Activate Crash Reporting and Pulse</li>
       <li>Copy the API Key <span class="rg4wp-helptip">Include the '==' at the end</span></li>

diff --git a/css/style.css b/css/style.css
@@ -1,8 +1,3 @@
-/* WP Overrides */
-.toplevel_page_rg4wp #wpcontent, .raygun4wp_page_rg4wp-dash #wpcontent {
-  padding-left: 0;
-}
-
 /* About Styles */
 .rg4wp-container {
   padding: 0 24px;

diff --git a/dash.php b/dash.php
@@ -1,26 +1,4 @@
-<iframe id="rgFrame" src='https://app.raygun.com?utm_source=wordpress&utm_medium=admin&utm_campaign=raygun4wp' frameborder="0" height="900px" width="100%"></iframe>
-
-<script type="text/javascript">
-  (function($) {
-
-    $(document).ready(function() {
-
-      var $dashboard = $('#rgFrame'),
-        $adminBar = $('#wpadminbar');
-
-      if( $dashboard.length == 0 ) {
-        return;
-      }
-
-      var setHeight = function() {
-        var height = window.innerHeight - $adminBar.height();
-        $dashboard.height( String( height ) + "px");
-      }
-
-      setHeight();
-      $(window).resize(setHeight);
-
-    });
-
-  })(jQuery)
-</script>
+<div class="wrap">
+ <p>Go to your Raygun dashboard</p>
+ <a class="rg4wp-button" href="https://app.raygun.com/signin" target="_blank">Open dashboard</a>
+</div>
diff --git a/raygun4wp.php b/raygun4wp.php
@@ -3,7 +3,7 @@
 Plugin Name: Raygun4WP
 Plugin URI: http://github.com/mindscapehq/raygun4wordpress
 Description: Exceptional error, performance, user tracking and more with Raygun.com. This service integrates Raygun Crash Reporting which lets you monitor your site's health with beautiful graphs and comprehensive reports, so you are always aware of any points of failure. With Raygun's Real User Monitoring you can monitor the performance of every individual user session, so you can discover and fix fundamental bottlenecks that affect your end user experience. This plugin has a simple one-minute, no-code-required installation.
-Version: 1.8.2.0
+Version: 1.8.3.0
 Author: Mindscape
 Author URI: http://raygun.com
 License: MIT

diff --git a/readme.txt b/readme.txt
@@ -1,10 +1,10 @@
-=== Plugin Name ===
+=== Raygun4WP ===
 Contributors: mindscapehq
 Donate link: http://raygun.com
 Tags: error reporting, raygun, exception, 404, crash reporting, JavaScript, PHP, error monitoring, error tracking, bug tracking, real user monitoring, pulse
 Requires at least: 3.4
-Tested up to: 4.7.5
-Stable tag: 1.8.2.0
+Tested up to: 4.8.2
+Stable tag: 1.8.3.0
 License: MIT
 License URI: http://opensource.org/licenses/MIT
 
@@ -80,6 +80,11 @@ If you enable this feature the currently logged in user's email address, first n
 
 == Changelog  ==
 
+= 1.8.3 =
+
+* Fix XSS vulnerability in settings
+* Replace the iframe with a link to the Raygun dashboard
+
 = 1.8.2 =
 
 * Bump Raygun4JS version to v2.6.2

diff --git a/sendtesterror.php b/sendtesterror.php
@@ -43,15 +43,7 @@
 }
 ?></p>
 
-<?php
-	$previousUrl = "javascript:window.history.back();";
-
-	if( isset($_GET['backurl']) ) {
-		$previousUrl = htmlentities($_GET["backurl"]);
-	}
-?>
-
-			<a class="rg4wp-button" href="<?php echo $previousUrl; ?>">Back</a>
+			<a class="rg4wp-button" href="/wp-admin/admin.php?page=rg4wp-settings">Back</a>
 
 		</div>
 	</div>

diff --git a/settings.php b/settings.php
@@ -113,9 +113,9 @@
       <p class="submit">
         <?php
           $current_user = wp_get_current_user();
-          $testErrorUrl = plugins_url('sendtesterror.php?backurl=' . urlencode($_SERVER['REQUEST_URI']) . '&rg4wp_status=' . get_option('rg4wp_status') . '&rg4wp_apikey=' . urlencode(get_option('rg4wp_apikey')), __FILE__) . '&rg4wp_usertracking=' . urlencode(get_option('rg4wp_usertracking')) . '&user=' . urlencode($current_user->user_email);
+          $testErrorUrl = plugins_url('sendtesterror.php?rg4wp_status=' . get_option('rg4wp_status') . '&rg4wp_apikey=' . urlencode(get_option('rg4wp_apikey')), __FILE__) . '&rg4wp_usertracking=' . urlencode(get_option('rg4wp_usertracking')) . '&user=' . urlencode($current_user->user_email);
         ?>
-        <a class="button-secondary button-large" target="_blank" href="<?php echo $testErrorUrl; ?>">Send Test Error</a>
+        <a id="js-send-test-error-link" class="button-secondary button-large" target="_blank" href="<?php echo $testErrorUrl; ?>">Send Test Error</a>
       </p>
 
       <h2 class="title">Pulse - Real User Monitoring</h2>
@@ -141,4 +141,33 @@
           submit_button("Save Changes", "primary", "submitForm", false, array('value' => 'submit'));
         ?>
       </p>
+      <script>
+        (function($) {
+          var $sendTestErrorLink = $('#js-send-test-error-link');
+          var serverSideEnabled = $('#rg4wp_status').prop('checked');
+          var clientSideEnabled = $('#rg4wp_js').prop('checked');
+          var apiKeyValue = $('#apiKey').val();
+
+          // Test if the API key has a value, and that either the server-side or client-side checkboxes have been checked on load
+          var isValid = function() {
+            return apiKeyValue.length > 0 && (serverSideEnabled || clientSideEnabled);
+          };
+
+          // Disable the send test link immediately if the state is invalid
+          if(!isValid()) {
+            $sendTestErrorLink
+              .prop('disabled', true)
+              .attr('title', 'Add your Raygun API key, select an Error Tracking option and click Save Changes to send a test error')
+              .addClass('button-disabled')
+              .css({ cursor: 'help' });
+          }
+
+          // Disable link default behavior if invalid
+          $sendTestErrorLink.on('click', function(e) {
+            if(!isValid()) {
+              e.preventDefault();
+            }
+          });
+        })(window.jQuery);
+      </script>
     </form>