Download
Thanks a lot again Shawn, I already do the create pagecache only once but I double checked after your message to be sure.
My error handling is quite loose as I AND all the statuses from different XMLsave together, but I could fix that - what bother me a bit more is I don't use the standard way of displaying error or success messages but I should dig again deeper in the sources to see how it should be correctly done, so I could use (if possible) the undo function (which to my great shame I didn't study at all yet).
I've got a not-so-related question but I'll ask it anyway while it's hot :
I send my data in JSON format and use json_decode on the server side to save them : do you believe it's secure enough against XSS attacks ? It certainly isn't ideally secure enough but I have hard times figuring how to prevent such attacks, it would be ppretty easy to trigger a request from a distant site when a user is logged in... are there best practices for the developpers regarding this kind of stuff ? I mean I could check all the datas but a request that would erase all the pages hierarchy could also be legit (though thinking about it I can add a bit more security because my plugin as it is right now could enable an attacker to erase all the pages if he knows the site structure).
I didn't test this potential attack but maybe there's already a protection against this kind of attacks through a cookie or session check ? if so is it automatic or should I invoke it manually ?
I identify pages by their slug, maybe I could encode the slugs in the requests so it wouldn't be trivial to forge a request from the sitemap ?
Also a more related question : what would be the best practice to save data ? I tried to use the pages.php way of doing things by sending a header:location before redirecting to the plugin page, but although it works locally on the distant server headers are already sent, so maybe an ajax request would be a more effective way of doing things ?
I'm kind of old school and hacky in my coding so I like to have simple things all packed up in a single file - that's why I'd rather avoid the ajax request which would demand another php file for my plugin, I can also use a javascript redirect but even though my plugin relies heavily on javascript and jquery I feel it would be more consistent if the redirect command originated server side, so is there a way to send directly the headers from my plugin before something is triggered anywhere else ? I opened another thread about that, maybe I should have kept things only here - sorry about that : I'm posting in a hurry which is always a bad idea :/
My error handling is quite loose as I AND all the statuses from different XMLsave together, but I could fix that - what bother me a bit more is I don't use the standard way of displaying error or success messages but I should dig again deeper in the sources to see how it should be correctly done, so I could use (if possible) the undo function (which to my great shame I didn't study at all yet).
I've got a not-so-related question but I'll ask it anyway while it's hot :
I send my data in JSON format and use json_decode on the server side to save them : do you believe it's secure enough against XSS attacks ? It certainly isn't ideally secure enough but I have hard times figuring how to prevent such attacks, it would be ppretty easy to trigger a request from a distant site when a user is logged in... are there best practices for the developpers regarding this kind of stuff ? I mean I could check all the datas but a request that would erase all the pages hierarchy could also be legit (though thinking about it I can add a bit more security because my plugin as it is right now could enable an attacker to erase all the pages if he knows the site structure).
I didn't test this potential attack but maybe there's already a protection against this kind of attacks through a cookie or session check ? if so is it automatic or should I invoke it manually ?
I identify pages by their slug, maybe I could encode the slugs in the requests so it wouldn't be trivial to forge a request from the sitemap ?
Also a more related question : what would be the best practice to save data ? I tried to use the pages.php way of doing things by sending a header:location before redirecting to the plugin page, but although it works locally on the distant server headers are already sent, so maybe an ajax request would be a more effective way of doing things ?
I'm kind of old school and hacky in my coding so I like to have simple things all packed up in a single file - that's why I'd rather avoid the ajax request which would demand another php file for my plugin, I can also use a javascript redirect but even though my plugin relies heavily on javascript and jquery I feel it would be more consistent if the redirect command originated server side, so is there a way to send directly the headers from my plugin before something is triggered anywhere else ? I opened another thread about that, maybe I should have kept things only here - sorry about that : I'm posting in a hurry which is always a bad idea :/
