Skip Navigation

This thread is resolved. Here is a description of the problem and solution.

Problem:
The shortcode [wpml_language_selector_widget] used for showing the language switcher in the header includes the path to the CSS file like so "sitepress-multilingual-cms/templates/language-switchers/legacy-list-horizontal/style.css?ver=1" It is missing the HTTP or HTTPS part, which can cause a security issue.

Solution:

Our developers checked this issue and concluded that there was no security risk by not having the HTTP or HTTPS part in the CSS URL link, and it should not be included due to a specific reason.

This is the technical support forum for WPML - the multilingual WordPress plugin.

Everyone can read, but only WPML clients can post here. WPML team is replying on the forum 6 days per week, 22 hours per day.

This topic contains 13 replies, has 3 voices.

Last updated by Itamar 3 years, 3 months ago.

Assisted by: Itamar.

Author Posts
November 16, 2020 at 5:24 am #7454675

Alifa Colaco

Used [wpml_language_selector_widget] shortcode for showing the language switcher in header.
This includes "sitepress-multilingual-cms/templates/language-switchers/legacy-list-horizontal/style.css?ver=1" CSS file with http or https (see the attached screenshot).

We want the URL to include http or https depending on website URL.

WPML-Language-Widget-CSS.PNG
November 17, 2020 at 10:31 am #7465041

Ahmed Mamdouh
Supporter

Languages: English (English ) Arabic (العربية )

Timezone: Africa/Cairo (GMT+02:00)

Hi,

Thanks for contacting our support forum.

As I understood you are trying to add a new custom language switcher, so could you please tell me how did you add the shortcode to the header?

Also, Could you please share the debug information of your site with me?
You can read a detailed explanation about it here.
http://wpml.org/faq/provide-debug-information-faster-support
The debug info will give me a lot of information about how your site is configured and help me understand the source of the problem.

Best regards,
Ahmed Mamdouh.

November 17, 2020 at 10:44 am #7465109

Alifa Colaco
echo do_shortcode('[wpml_language_selector_widget]');
November 17, 2020 at 12:01 pm #7466073

Ahmed Mamdouh
Supporter

Languages: English (English ) Arabic (العربية )

Timezone: Africa/Cairo (GMT+02:00)

Hi,

Are you facing a problem adding HTTP or HTTPS to the CSS link? and if yes could you please provide me the error or describe the issue in detail?

Best regards,
Ahmed Mamdouh.

November 17, 2020 at 1:14 pm #7466587

Alifa Colaco

Are you facing a problem adding HTTP or HTTPS to the CSS link? - Yes

We have added the below code for showing language switcher for the site.

<?php echo do_shortcode('[wpml_language_selector_widget]'); ?>

It includes the below CSS file when the above code is added:

<link rel='stylesheet' id='wpml-legacy-horizontal-list-0-css'  href='//devlocal.creativecapsule.local:8002/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-list-horizontal/style.css?ver=1' type='text/css' media='all' />

If you check the link for the above CSS file it is not showing http or https.
But, for our site we want all CSS/JS links to have http or https for the URL.

WPML-Language-Widget-CSS.PNG
November 17, 2020 at 8:31 pm #7470189

Itamar
Supporter

Languages: English (English ) Hebrew (עברית )

Timezone: Asia/Jerusalem (GMT+03:00)

Hi there.

Since Ahmed is not available I'll continue helping you with this issue.

I can replicate this issue on my test site. Indeed the http: or https: part of the 'href' attribute that points to the custom Language Switcher style.css file is missing.

But as far as I see it it is just a minor issue because other than that everything is functioning as it should. The CSS for the custom Language Switcher is loading correctly. And if the URL of your site is the HTTP or HTTPS protocol that link will be accordingly.

You can check my test site at the following link.
hidden link
If you inspect the Language Switcher with the browser's developers tool then you should notice that it is loading with the HTTP or HTTPS protocol. Please see the attached screenshot https-ok.jpg. At the following link, you will find the full link to the CSS file.
hidden link

Can you see my point on this case?
Of course, I'm going to discuss this with our second tier supporters and escalate the issue if needed. But now it is important for me to know if you are having actually issues because of the missing http: part in the link?

Thanks,
Itamar.

https-ok.jpg
November 19, 2020 at 9:52 am #7481599

Alifa Colaco

We need to have HTTP or HTTPS protocol as our IT team have identified it as a security issue.

November 19, 2020 at 5:17 pm #7486783

Itamar
Supporter

Languages: English (English ) Hebrew (עברית )

Timezone: Asia/Jerusalem (GMT+03:00)

Hi,

OK, I'm going to escalate this issue to our second tier supporters. They will escalate it to our developers if it will be needed. We'll keep you updated here on any news regarding this issue.

Meanwhile, it might be helpful if you can get more information from your IT team about the security issue that they identified. If you get it please share it here with me.

Thanks,
Itamar.

November 22, 2020 at 12:53 pm #7502751

Itamar
Supporter

Languages: English (English ) Hebrew (עברית )

Timezone: Asia/Jerusalem (GMT+03:00)

Hi.

I've escalated this issue to our second tier supporters. They will debug it and escalate it to our developers if needed. We'll keep you updated here on any news regarding this issue.

Thank you for your patience.
Itamar.

November 23, 2020 at 7:16 am #7505815

Itamar
Supporter

Languages: English (English ) Hebrew (עברית )

Timezone: Asia/Jerusalem (GMT+03:00)

Hi.

Our second tier supporter has checked this issue and explains the following.

The missing protocol is part of a practice. If you do not specify a protocol, then a request is made using the protocol used to connect with the site. Just like a relative path, it is a relative URI.

I hope that this clarifies the issue.
Please let me know if you have further questions about this issue.

I'm also waiting to hear from you regarding the security issue that you mentioned.
As far as we can see, there is no security issue here.

Regards,
Itamar.

November 26, 2020 at 6:58 am #7531767

Alifa Colaco

When our IT team does a security scan, this is identified as a security threat and this needs to be fixed.

If further details are required then we can schedule a call with out IT team.

November 26, 2020 at 10:33 am #7533335

Itamar
Supporter

Languages: English (English ) Hebrew (עברית )

Timezone: Asia/Jerusalem (GMT+03:00)

Hi and thanks for the extra details.

I passed your note to our second tier supporter. When I have more information from him I'll update you here.

Thank you for your patience.
Itamar.

November 26, 2020 at 11:38 am #7534003

Itamar
Supporter

Languages: English (English ) Hebrew (עברית )

Timezone: Asia/Jerusalem (GMT+03:00)

Hi.

While our second-tier supporter consults the developers, he asked me to also pass the following request to you.

Can you please point us to any documentation which explains the security threat that might be caused by not adding `https:` to the CSS link?

Thanks,
Itamar.

December 10, 2020 at 8:49 am #7632575

Itamar
Supporter

Languages: English (English ) Hebrew (עברית )

Timezone: Asia/Jerusalem (GMT+03:00)

Hi,

After further discussing this issue with our main developers, we conclude that, as for now, there is no security risk by not having the http: part in the CSS URL link. In fact, we discovered that we shouldn't include this part because of a certain reason.

So due to the above, we are going to wait for your reply with the IT team comment about what they see in it as a security risk.

I look forward to your reply!

Thanks,
Itamar.

This ticket is now closed. If you're a WPML client and need related help, please open a new support ticket.