WYSIWYG Editor – Insert/Edit Link Not Working

[AITpro Admin]

Question split due to being a separate Topic/Question:

My second question relates so some issue’s my client is having.
Apparently when you edit a post/page in the WYSIWYG, that using the ‘Insert/Edit Link’ button within the toolbar no longer functions.
I was wondering if it’s possible that BPS Pro would be blocking the javascript? or perhaps it’s something completely different.
 
the website is http://www.habitatmontreal.qc.ca
AITpro Admin already has an account in the website if he needs to access it.

[AITpro Admin]

In general, BulletProof Security does not interfere with the standard WordPress WYSIWYG Editor.  Are you using a WYSIWYG Editor plugin?  Check the B-Core Security Log for any errors and post any errors here.

[James]

I’m using the standard one that comes with WP. I checked the security log and there’s nothing there. Would it be easier for you if you can reproduce the problem? You still have an account on the website.

[AITpro Admin]

Is this client site under your Hosting account?  Is this client site using the same Server that your site is using?  Are you having the same problem with the WYSIWYG Editor on your site? Please list step by step with exact specific details where the problem is occurring and any error messages that you see.

[James]

I’m a little confused by your questions but I’ll do my best to answer them.
The site was developed in a 3 server process, Local Dev > Staging Server(My own personal hosting) > Production Server (The client’s hosting)
All the issues I’ve mentioned are from the production server. All the clients, access the site via the production server.
The production site is under their separate hosting account that the client provided, however, I have full access to it.
The production site is running on the same server that the client provided.
 
I was able to reproduce the issue that they brought to my attention on my end via the same server. 
 
This is the process I used to reproduce the issue.
Logged into account > Pages > 2nd page of Pages > ‘Habitat in the News’ Page > Highlighted a word in the Visual mode > clicked the Insert/Edit Hyperlink Icon from the Editing Toolbar
The result was no error, no function, nothing happened.
The same happens when attempting to edit an already established hyperlink.
On Chrome you can see the word javascript:; in the bottom left of the window after selecting the button.
 
Let me know if you need any further information.
I appreciate all the help!

[AITpro Admin]

Ok I just wanted to make sure your were aware of this BulletProof Security Pro licensing agreement change >>> http://forum.ait-pro.com/forums/topic/bulletproof-security-pro-developer-license-brand-re-brand-white-label/#post-1396

The licensing agreement change has become necessary because we are starting to develop a serious problem with folks who purchase a BPS Pro license then install BPS Pro at no charge on client sites and then expect for us to offer free technical support to folks who have not purchased BPS Pro.  We may need to change the BPS Pro licensing agreement further / add more licensing restrictions, but hopefully just making this license change will be enough to take care of the problem.

This new change has been made to the BulletProof Security Pro license:

“…If You install BulletProof Security Pro on Your clients websites then You are responsible for supporting BulletProof Security Pro for Your clients. AITpro offers free technical support to the licensee of the BulletProof Security Pro software only and is not responsible for supporting BulletProof Security Pro on Your clients websites…”

Since you are handling your client’s issue/problem and posting in the Forum then I can assist you here, but we are no longer officially logging into other people’s client sites as this is causing a significant problem for us.

Ok back to your client’s issue/problem.  What is supposed to occur when clicking the Insert/edit link button is that a pop up window should appear.  This is javascript or jQuery based and I believe this is the Thickbox feature in WordPress.  I have seen this same type of problem occur when using a plugin called My Calendar, but really what was occuring is due to something about the Server configuration itself or some other factor specific to the website/Host/Server this problem was only occurring on that person’s website and did not occur on my testing site.

This was the solution to that problem so comment out the security filter shown in this Forum link below.

http://forum.ait-pro.com/forums/topic/my-calendar-plugin-shortcode-builder-403-error/#post-1172

[James]

Hi There,
I apologize for not being aware of the license issue and in the future I’ll refrain from asking about issues on my client’s website.
I tried the fix from the post you linked and verified that the change occurred within the root .htaccess, however the javascript modal that is expected still doesn’t show.
 
I have a second problem and I’m not sure if the two are related. This time around I do have some security logs from BPS.
The general issue was that attempting to upload an image via ‘Nivo Slider for WordPress’ plugin (by clicking the ‘Add New Image’ button) would result in nothing happening when the expected result should’ve shown some input fields to choose an image. This only works on my end but nobody else.
These are the logs for today. Note that a lot of the logs are 403 to a majority of the scripts that need to run.
http://pastie.org/private/s8dgyxe729phkgkt1hvw
Perhaps the problem are all related to the same issue?
 

[AITpro Admin]

No need for an apology.  😉  We are just trying to get a situation under control that is becoming an increasing problem.  I’m hoping that we will not have to add additional licensing restrictions.  One idea that is very appealing to me is this one below.

If you are website developer or manage other folks sites on an ongoing basis then I was thinking that for client sites you could add a footer link back to the AITpro site.  This way we would get an inconspicuous Ad for BPS Pro (more for image/appearance really than an Ad) and a link back to the AITpro site.  By making this a licensing condition for Developers or website Managers we would actually get some benefit from this.  What do you think of this idea?  Does it appeal to you or turn you off?  Or just plain piss you off?  LOL

This is the footer image we display on the AITpro site so what I was thinking was having a few choices.  Just plain text and a few variations in image sizes for the BPS Pro logo.  Let me know what you honestly think about this idea.  Thanks

Have you done the standard BPS Pro troubleshooting steps yet to verify that the problem is being caused by BPS Pro?

https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.
2. On the Security Modes page, click the wp-admin Folder BulletProof Mode Deactivate button.  See Custom Code Note if doing this step works.
3. On the Security Modes page, click the Plugin Firewall BulletProof Mode Deactivate button.
4. On the Security Modes page, click the UAEG BulletProof Mode Deactivate button.
5. If an issue/problem is related to files being locked with F-Lock then unlock files on the F-Lock page.
6. If an issue/problem is related to Login Security turn Off Login Security on the Login Security & Monitoring page.
7. If an issue/problem is related to JTC Anti-Spam|Anti-Hacker turn Off JTC Anti-Spam|Anti-Hacker on the JTC Anti-Spam|Anti-Hacker page.
8. If an issue/problem is related to a custom php.ini file (if you created a custom php.ini file for your website) rename it to php.ini.BAK
9. If an issue/problem is related to files being autorestored and/or quarantined turn Off AutoRestore|Quarantine on the AutoRestore page. Note: If you are manually editing or uploading files to your website see the AutoRestore|Quarantine Manual File Editing/Uploading Correct Usage steps:https://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/#procedural-steps

Stop here and do not proceed.

What you will need to do then is first eliminate that the issue/problem is not coming from the wp-admin .htaccess file by using the deactivate wp-admin  htaccess file option on the Security Modes.  Test if the problem is still occurring.  If it is still occuring then let me know at this point and do not proceed with the troubleshooting steps below.

You will need to comment out the root .htaccess security filters 1 by 1 until you find the security filter that is causing the issue/problem.  What I do is add a pound sign # in front of 3 security rules at a time and test as shown below.  Then continue to comment out 3 more security rules and test, etc until you find the security rule or rules that need to be commented out permanently.

# BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Add or remove user agents temporarily or permanently from the first User Agent filter below.
# If you want a list of bad bots / User Agents to block then scroll to the end of this file.
#RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
#RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
#RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
.....
.....
.....

No, the 2 issues are not related.  Please see this Security Log / HTTP Error Log Read Me first Topic for the solution – https://forum.ait-pro.com/forums/topic/security-log-http-error-log-read-me-first/

[AITpro Admin]

Also due to all of the plugin scripts HTTP errors that I see in your log file it does not appear that you performed all the Plugin Firewall Whitelist steps correctly or maybe this site is using a Minify or copyright protection plugin?

Please see this post about other plugins will break the Plugin Firewall Whitelist Scanner from working correctly.

http://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/

If the Plugin Firewall Whitelist Scanner does not work on this site for whatever reason due to something breaking it then the Topic above lists other options available to you to Whitelist plugin scripts or of course you can just deactivate the Plugin Firewall.  You should do this for testing anyway.

[AITpro Admin]

Also a new BulletProof Security Pro installation and setup video tutorial has been created here that shows the correct steps to setup the Plugin Firewall / Whitelist.

http://www.ait-pro.com/aitpro-blog/2841/bulletproof-security-pro/bulletproof-security-pro-overview-video-tutorial/

[James]

Hmm, I like the idea of having a link in the footer which would allow or give you a reason to extend your license/support.
I like the idea of having a variety of image/text options, to choose from.
I’d be a lot nicer if it was more like a certification, like ‘Certified and secured by BPS Pro’ or something. Kind of like a CSS/HTML Validation or Anti-Hacker certification. Anyway, just an idea.

I deactivated root and wp-admin BPS Pro for good measure and the problem still existed. I’m not sure what else the problem could be.

As for the second issue, I remember there was a plugin conflict before 5.5 in which you had to create the plugin firewall for me. You then gave me a patch that would fix this conflict. I suppose I should re-scan?
Most of the plugins in the Security Log are scripts that only run in the admin panels, how do I scan for those?

[AITpro Admin]

Well actually it would not mean that we would be extending the support to licensee’s clients.  We are already allowing free usage of BPS Pro on licensee’s client sites so I think that is already generous enough.  Some of the new license restriction proposals have been as restrictive as only offering single licenses or license packs, but I am not in favor of that at all – it is too extreme so I am not even considering those proposals.  The standard software licensing models that most Brand name companies use are too restrictive for my tastes, but I can see why they use those standard licensing policies/models.  😉

Yep great suggestion.  I am thinking as long as “BulletProof Security Pro” is used in the text or link then whatever the rest of text says does not matter and could be left open.

Ok since you have determined that BPS Pro is not causing the problem then just do the standard WordPress troubleshooting steps.  Deactivate plugins 1 by 1 until you find the plugin that is causing the problem.  And if it is not a plugin then eliminate your Theme by switching to the WordPress 2010, 2011 or 2012 Theme.  Once you find the source of the problem then contact the appropriate plugin author or theme author.

I actually have no idea about what you saying about the second issue???  Please refresh my memory.  Actually what you should be looking at in the logged event is REQUEST_URI:

example shows that this plugin script is being blocked.  You can add these manually to your Plugin Firewall Whitelist.  Please see this Forum Topic >>> http://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/

REQUEST_URI: /wp-content/plugins/sitepress-multilingual-cms/res/js/scripts.js?ver=2.6.0

[James]

Oh okay, I understand. Some plugins I’ve purchased usually have either a Single website license and a Unlimited Website license. I usually purchase the Unlimited license (usually sold at a higher rate). To give you a memory refresher. I had a problem with some widgets not working/scripts not loading when visiting my website. I had recently followed the tutorial for the plugin firewall but after you had logged in and taken a closer look you discovered that there was a javascript conflict with a certain plugin. This plugin was called ‘Smart Slideshow Widget’. You then performed a quick band-aid solution (not sure what that was) which allowed the website to work. However a couple days later you sent me a file that would patch BPS with a line of code that blocked Smart Slideshow Widget from running in the background and conflicting with BPS. You also mentioned that 5.5 would include this line of code.

What I’ve done just now was re-do my plugin firewall and have excluded the javascript directories for the plugins themselves instead of the individual files. Hopefully this will fix the issue with the plugin not working correctly. I did some more WordPress troubleshooting like you suggested and have now found that ‘Smart Slidesh0w Widget’ is ALSO the cause of my Admin Panel Javascript conflicts. I doubt I’m going to get a response from the developer having broke WP with it’s terrible coding. *Sigh* This Smart Slideshow Widget plugin is the bane of my existence right now.

[AITpro Admin]

Oh ok now I remember.  Yep the Regex for the Plugin Firewall Whitelist are all the standard Regex characters so this gives you a huge variety of options and versatility in what level of whitelisting you want to do/allow.  Entire directories, “wildcards”, etc. This code has been added permanently to BPS Pro 5.5 and all future versions of BPS Pro to block that plugin’s scripts from loading on BPS Pro plugin pages.

// Block SSW from loading its scripts in BPS Pro pages and breaking BPS Pro scripts/menus/etc
wp_dequeue_script( 'jQuery-UI-Effects', plugins_url('/smart-slideshow-widget/js/jquery-ui.min.js') );
wp_dequeue_script( 'SSW', plugins_url('/smart-slideshow-widget/js/smart-slideshow-widget.js') );

And what can I tell you.  Since that plugin is loading its scripts everywhere when it should not be doing this then yeah it was bound to be breaking other things as you just found out.  😉  I could of course have written code to completely block this plugin’s scripts from loading, but then of course it would not work at all anymore.  LOL  The easy fix is DELETE it and find a better coded slider.  😉  There are tons of them out there so just look for one that is better coded.

[James]

Bah! I just made my plugin firewall worse somehow.. It’s showing the EXACT same symptoms as before. Symptoms being: The site loads perfectly fine on my IP address but somehow to everyone else the scripts do not load.

This is the firewall I changed it to:

/gravityforms/js/, /nivo-slider-for-wordpress/js/, /simplemodal-login/js/, /sitepress-multilingual-cms/res/js/, /smart-slideshow-widget/js/, /wpml-sticky-links/res/js/, /wpml-translation-management/res/js/,

I figured maybe I didn’t exclude an entire directory properly so I removed the trailing ‘/’ from the URLs and still nothing changed.

/gravityforms/js, /nivo-slider-for-wordpress/js, /simplemodal-login/js, /sitepress-multilingual-cms/res/js, /smart-slideshow-widget/js, /wpml-sticky-links/res/js, /wpml-translation-management/res/js,

I am 100% sure I’m making this firewall correctly having watched your tutorial video 3 times now. Last time you fixed it, I’m really not sure what I’m doing incorrectly.

[Author]

Posts