strangerstudios / pmpro-strong-passwords Goto Github PK

You have already checked the password strength on password field, then you just have to check the match/mismatch on password2, not re-calculating the progress bar. It doesn't make any sense and it's confusing.

For those on older versions of PHP, this ZIP should work for you while we patch the plugin.

pmpro-strong-passwords.zip

Developers:

The issue is the library dropped PHP < 7.3 support in this release: https://github.com/bjeavons/zxcvbn-php/releases/tag/1.0.0

The latest is: https://github.com/bjeavons/zxcvbn-php/releases/tag/1.1.0

If the PHP version is older than 7.2 the password strength check is done with the function pmpro_strong_password_custom_checker

When the password does not meet the required length during a check using this function an error is logged:
PHP Notice: Undefined variable: password_min_length in /path/wp-content/plugins/pmpro-strong-passwords/pmpro-strong-passwords.php on line 143

We should use the variable $minimum_password_length as the parameter for the localized test string from here:

There may be other strings shown to users, but there are a couple in here:
https://github.com/strangerstudios/pmpro-strong-passwords/blob/4c683441d04fe52f7690a916fcbbde630a0c842b/vendor/bjeavons/zxcvbn-php/src/Feedback.php

If the WP site running this add on is not in English, these words will show up untranslated.

Wrapping these strings in __()/etc for WP could work, but then it would be hard to update this library without having to redo that work. (That might be worth it. I don't know how often this library is updated.)

Another option would be to update the plugin to get the responses from the library and then compare them and swap them with localized versions. This way, translations would still work if the library was updated... unless new strings were introduced somehow. Then we'd have to update our code to handle them.

So it would be like:

$suggestions = $password_strength['feedback']['suggestions']; foreach( $suggestions as $key => $text ) { if( $text === 'Add another word or two. Uncommon words are better.' ) { $suggestions[$key] = __( 'Add another word or two. Uncommon words are better.', 'pmpro-strong-passwords' ); } }

Here is where the message is set: https://github.com/strangerstudios/pmpro-strong-passwords/blob/dev/pmpro-strong-passwords.php#L112

There is a filter there already (pmprosp_minimum_password_score_message). But it would be good to not require custom code for these translations.

When a password tooltip contains a double quotation mark (") the JavaScript rendered tooltip breaks from the point where the double quotation is encountered.

To Recreate

1. Install & activate PMPro Require Strong Passwords Add On.
2. Navigate to the front-end PMPro checkout page and hover the mouse pointer over the ? after the Password field label.

A temporary workaround is to filter the password hint:

function my_pmprosp_password_hint( $password_hint ) {
	if ( function_exists( 'pmpro_strong_password_check' ) ) {
		$password_hint = str_replace( '"', '', $password_hint ); // remove double quote that causes issues with javascript tooltip.
	}
	return $password_hint;
}
add_filter( 'password_hint', 'my_pmprosp_password_hint' );

Found on a client site:

wp.passwordStrength.userInputBlacklist() is deprecated since version 5.5.0! Use wp.passwordStrength.userInputDisallowedList() instead. Please consider writing more inclusive code.

Logging this now and will add environment details when I have them ready.

The minimum required characters for a strong password is set at 8 characters. It could be beneficial to consider adding a filter allowing to set a custom required password length.

As a workaround, this is currently possible replacing the existing filter here:

Because match is a reserved word in PHP 8, the bjeavons/zxcvbn-php library used by this plugin throws syntax errors due to its Match class.

Example of the kind of errors from the site PHP error_log:

PHP Parse error:  syntax error, unexpected token "match", expecting variable in /home/SITE_ROOT/public_html/wp-content/plugins/pmpro-strong-passwords/vendor/bjeavons/zxcvbn-php/src/Matcher.php on line 92

Release 1.2.0 fixes this incompatibility, while still being compatible with the same minimum PHP version as this plugin (7.2).

and this is a huge drawback. People get tried of trying or adding new characters at the end. It keeps asking for a special character though it is already added. Strangely, in several attempts it says medium for a 9 letter password and when you add one more it goes back to weak and no matter how many characters you add it stays there.

Improve password strength requirements to match WordPress default password strength validator.

I may do a PR kind of soon.

The error is the following:

`PHP Parse error:  syntax error, unexpected 'const' (T_CONST), expecting variable (T_VARIABLE) in wp-content/plugins/pmpro-strong-passwords/vendor/bjeavons/zxcvbn-php/src/Matcher.php on line 10

My server config:
Linux Debian
PHP 7.0
MySQL 5.5.62

Once the pmpro-strong-passwords extension is deactivated, the error is gone and the sign up process completes smoothly.

We should allow developer's to filter the length of required password, some site owners may want passwords with a length of 9 characters for example.

Code Ref: https://github.com/strangerstudios/pmpro-strong-passwords/blob/dev/pmpro-strong-passwords.php#L141

The password strength note below the password field(s) are changeable through the language files (*.mo, *.po) but not using a gettext filter to change the string.

Currently removing the existing filter and replacing it with a custom filter can be used as a workaround.

function switch_my_pmpro_password_notice() {
	if ( has_filter( 'pmpro_checkout_after_password', 'pmprosp_pmpro_checkout_after_password' ) ) {
		remove_filter( 'pmpro_checkout_after_password', 'pmprosp_pmpro_checkout_after_password', 1 );
		add_filter( 'pmpro_checkout_after_password', 'my_pmprosp_pmpro_checkout_after_password', 1 );
	}
}
function my_pmprosp_pmpro_checkout_after_password() {
	?>
	<div id="pmprosp-container"></div>
	<?php
	echo '<small id="pmprosp-password-notice">Custom note goes here</small>';
}

PMPro strong passwords add on disables the Submit button if the password entered was less than “Strong”.
There should be a notification letting the user know the reason the Submit button is disabled is because of the weak password

When using pmpro-addname-to-checkout, the name fields are displayed before the password strength message and as such the password strength message is wrongly displayed after the name fields instead of after password fields.

A workaround would be to add a priority here

add_filter( "pmpro_checkout_after_password", "pmprosp_pmpro_checkout_after_password", 1 );

Describe the bug
When hovering over the ? to display the password hint tooltip, the tooltip text string in the data-tooltip attribute ends with the first occurrence of a double quote and the remaining characters thereafter are rendered as attributes, e.g. symbols like ! " ?="" $="" %="" ^="" &="" )."="">?</span>

Original string:

Hint: The password should be at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! " ? $ % ^ & ).

Rendered HTML:

<span class="pmprosp-tooltip__password" data-tooltip-location="right" data-tooltip="Hint: The password should be at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! " ?="" $="" %="" ^="" &="" )."="">?</span>

Displayed string:

Hint: The password should be at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like !

Additional Notes

The password hint is obtained using the wp_get_password_hint() and passed to the JavaScript using the wp_localize_script here:

Using the password_hint filter available for the wp_get_password_hint() function to replace a double quote " with either the equivalent name or hex HTML entity does not resolve this while replacing any variant of the double quote with two single quotes does.

For example:

function password_hint_replace_double_quotes( $password_hint ) {
	return str_replace( array( '"', '"', '"' ), "''", $password_hint );
}
add_filter( 'password_hint', 'password_hint_replace_double_quotes' );

As an alternative method, one can look at correcting this in the javascript file by adding a replace(/"/g, '"') call to pwsL10n.password_tooltip.

jQuery('.pmpro_checkout-field-password label').append('<span class="pmprosp-tooltip__password" data-tooltip-location="right" data-tooltip="' + pwsL10n.password_tooltip.replace(/"/g, '&quot;') + '">?</span>');

To Reproduce
Steps to reproduce the behavior:

1. Go to checkout page and hover mouse pointer over the ? next to password label.
2. View incomplete text string.
3. View page source and locate span element with class pmprosp-tooltip__password.
4. See error

Screenshots

Expected behavior
The tooltip HTML is rendered correctly and the text string is displayed in full.

Isolating the problem (mark completed items with an [x]):

• I have deactivated other plugins and confirmed this bug occurs when only Paid Memberships Pro plugin is active.
• This bug happens with a default WordPress theme active, or Memberlite.
• I can reproduce this bug consistently using the steps above.

I am trying to translate the sequential messages: <div id="pmpro_message" class="pmpro_message pmpro_error">Password Error: Add another word or two. Uncommon words are better. Avoid sequences</div>

Using the Loco Translate plugin, I have already translated all the terms but this message simply does not exist for translation and I could not even launch a script then to force translation by means of the .pmpro_message .pmpro_error classes because they are used for other feedbacks. How can I solve this?

Overall this plugin works great! I have ran into one issue though since deploying it: Users who try to register are not sure what "special characters" are when creating their passwords. A lot of my users have been trying to use underscores as that 1 required special character, but this plugin and WordPress do not consider that to be "special" enough.

According to WP, the actual special characters that it requires are as follows: !@#$%^&*()

source: http://codex.wordpress.org/Function_Reference/wp_generate_password

My request is to include the list of special characters in the "A strong password requires..." text that gets added to the sign-up forms. This way people who are signing-up don't have to guess multiple times until they hit the right special character.

I know how to custom code this in myself since I'm a programmer, but have this pre-built into the code will definitely help a lot of non-programmers in the future!

Thanks,

• C.