mprins / dokuwiki-plugin-socialcards Goto Github PK

This plugin can also be read on social cards on banned pages.

When I set the image, full url or just name, the meta is filled by "https://wikidurable.org/lib/exe/fetch.php/logo.png", which works but is not recognized by facebook and twitter when I fetch the scrape information.

should contain the page abstract

I just came across the fact that the plugin does not honor ACLs as it seems. It's what #28 was all about as well, I think.

Hope you can implement this a little differently, so information does not get leaked from protected pages this way. That would be awesome :-)

environment

• php version: 7.4
• dokuwiki version: Release 2020-07-29 "Hogfather"
• plugin version / date: 2022-04-12
• list of any other plugins (apart from bundled plugins):

expected behaviour

When a page is set to not be accessible for the general public and the link to it is posted to - say - Discord, the card info should be something like "permission denied".

actual behaviour

When a page is set to not be accessible for the general public and the link to it is posted to - say - Discord, the card info shows the actual content of the page aka it leaks the protected information.

steps to reproduce actual behaviour

Install the plugin, only allow access to a page by the admin (and nobody else) and then post the link to Discord or Twitter or anywhere where a preview would be shown. You'll see the page content, which you tried to hide by disallowing the general public from viewing the page. You could look at the HTML source as well, of course.

p_get_metadata($ID, 'title', true), doe not have that signature, the 3rd parameter should be:

/** Don't render metadata even if it is outdated or doesn't exist */
25 define('METADATA_DONT_RENDER', 0);

/**
27 * Render metadata when the page is really newer or the metadata doesn't exist.
28 * Uses just a simple check, but should work pretty well for loading simple
29 * metadata values like the page title and avoids rendering a lot of pages in
30 * one request. The P_GET_METADATA_RENDER_LIMIT is used in this mode.
31 * Use this if it is unlikely that the metadata value you are requesting
32 * does depend e.g. on pages that are included in the current page using
33 * the include plugin (this is very likely the case for the page title, but
34 * not for relation references).
35 */
36 define('METADATA_RENDER_USING_SIMPLE_CACHE', 1);

or

37 /**
38 * Render metadata using the metadata cache logic. The P_GET_METADATA_RENDER_LIMIT
39 * is used in this mode. Use this mode when you are requesting more complex
40 * metadata. Although this will cause rendering more often it might actually have
41 * the effect that less current metadata is returned as it is more likely than in
42 * the simple cache mode that metadata needs to be rendered for all pages at once
43 * which means that when the metadata for the page is requested that actually needs
44 * to be updated the limit might have been reached already.
45 */
46 define('METADATA_RENDER_USING_CACHE', 2);

in our case we're using true which most php will translate to 1 (METADATA_RENDER_USING_SIMPLE_CACHE )

Opengraph has removed support for many tags regarding location, we should check/revise what we render

The plugin should skip on non-exitant pages as most of the metadata is meaningless in that case.

See https://blog.twitter.com/2016/alt-text-support-for-twitter-cards-and-the-rest-api

currently the fallback image needs to be a fully qualified url to an image (eg. http://www.hooidonksekanoclub.nl/dokuwiki/_media/logo-hkc.jpg), it would be good to be able to use a media id, eg: wiki:dokuwiki-128.png

for facebook etc. that use Open Graph,
see also: https://developers.facebook.com/docs/concepts/opengraph/ and http://ogp.me/