-XSS: That's why I haven't really released it yet (Of course I was
going to get your permission if I were anyways). I'm no expert in XSS
unfortunately. I did use a vulnerability scanner from Acunetix
[
http://www.acunetix.com/ ] which said that everything was fine (Of
course I'm not trusting it 100 percent), and I'm in the process of
looking for someone who really knows these things to test it (I'll
probably ask on the WordPress forums).
-Yeah, I did remove that part as is stated in the to do list. So I'm
assuming this is fine given how there's no other way to be XHTML
compliant (Which many users want or need before they're able to use
it)?
-Well I only did it because I figured that it'd be a simpler way since
anything reCAPTCHA related would be in the stylesheet. I most likely
can inline them but I was advised against it by some XHTML standards-
knowing people, one of them said that inlining styles was on the way
out (Probably by the next XHTML Standard version). Of course I could
inline them if you like. In this case then I will have to remove the
hidden email styling and keep the notice about being able to style the
emailrecaptcha class. So if you would like me to inline them instead
let me know.
-I think it is. Note however that I already fixed the problem with
Akismet, the only other problem is that the comments are still saved
in the database just not shown (marked as spam), but there are no
longer conflicts with Akismet. I believe the line that is causing it
to go to the moderation queue or at least show up as spam is:
add_filter('pre_comment_approved', create_function('$a', 'return \'spam
\';'));
I think I'm just going to, right after this line, add a line that
deletes the comment from the database.
I'll be working on the last one for now since it's the one I know for
sure you want me to do. Let me know about the rest (Except for the XSS
one, I'm working on it).
On May 17, 12:25 pm, "reCAPTCHA Support" <
supp...@recaptcha.net>
wrote:
> Hey!
>
> Fantastic job. A few comments:
>
> - From the todo list "Make XSS-proof. Apostrophes are allowed in email
> matching regex for
> MailHide?<
http://code.google.com/p/recaptcha/w/edit/MailHide>,
> can it be used to escape out of Javascript." Did you test XSS in the
> extension? I'd be most worried about somebody being able to do XSS via the
> comment field.
> - About XHTML compliance -- the fix essentially disables the <noscript>
> version of reCAPTCHA. Sadly, there isn't a good way to get <noscript>
> working while being XHTML compliant.
> - Is it possible to avoid linking to recaptcha.css on every page view?
> Adding another stylesheet means it takes another round trip to load the
> page? Only two of the styles are used on standard user pages -- maybe it
> makes sense to just inline them?
> - Any chance of getting rid of the "save the comment in the DB if the
> CAPTCHA failed" stuff, which causes things that reCAPTCHA catches to show up
> in the moderation queue?
>
> - Ben
>
> On Fri, May 16, 2008 at 10:22 PM,
jorgepbl...@gmail.com <
> >
http://www.blaenkdenum.com/official-recaptcha-wordpress-plugin-28-pre...
> > ]