Projects in Collections (and Collections in Collections!)

Featured Imgs 23

For a long time on CodePen, Collections essentially meant “A Collection of Pens”, even though there is more on CodePen than just Pens. There are Projects too, which we’ve given a good amount of love to recently. Now you can add Projects to Collections just as naturally as you can a Pen.

Notice there is a Collection in that Collection too. 🤯. Hey why not right? It’s kind of like nested folders and might unlock some organizational possibilities for you.

Note that privacy works the same way across the board. If you put a private thing in a public Collection, only you will see the private stuff (you’ll see a message about it). If the Collection is private, it reveals the private things inside of it to whoever can see the private Collection.

This has been a satisfying thing to roll out and watch because we’ve seen y’all just using it naturally with no prompting (or confusion, or bugs, as best we can tell!)

The post Projects in Collections (and Collections in Collections!) appeared first on CodePen Blog.

Easy WP SMTP 1.4.3 Patches Sensitive Data Disclosure Vulnerability

Category Image 032

Easy WP SMTP has patched a vulnerability that allows attackers to capture the password reset link from the plugin’s debug log file and gain unauthorized access to the site. The plugin is used by more than 500,000 WordPress sites to configure and send all outgoing emails via a SMTP server so they are less likely to end up in recipients’ junk/spam folders.

WPScan categorized the vulnerability as a “sensitive data disclosure:”

The plugin has an optional debug log file generated with a random name, located in the plugin folder and which contains all email messages sent. However, this folder does not have any index page, allowing access to log file on servers with the directory listing enabled or misconfigured. This could allow attackers to gain unauthorised access to the blog by reseting the admin password by getting the reset link from the log.

Easy WP SMTP version 1.4.3 contains the fix, adding an empty “index.html” file to the plugin’s folder to prevent anyone from browsing the files (even if the Option -Indexes is missing on that server). Users are advised to update immediately, as the vulnerability has already been exploited in the wild. Several users took to the plugin’s support forums to report attempts on their sites.

Jerome Bruandet, a security researcher from NinTechNet, reported the vulnerability and published a post explaining how an attacker might access the debug log where the plugin writes all the email messages sent by the site. Using author archive scans, the hacker can find a username and then send a password reset email that gets intercepted via the Easy WP SMTP debug log file:

Easy WP SMTP log file – source: NinTechNet

At the time of publishing, approximately 51.8% of users are on 1.4.x versions of the plugin. Without a more specific breakdown, it’s not clear how many users have updated to the patched 1.4.3 version. Approximately 59,000 sites have downloaded the plugin today, leaving many installations still vulnerable.

This is another case where automatic background updates on plugins can quietly save the day. Users who have auto-updates enabled for plugins have already received the fix. Administrators for older installations of WordPress or sites where auto-updates have been disabled will need to update manually as soon as possible.

Web Performance Calendar

Category Image 052

The Web Performance Calendar just started up again this year. The first two posts so far are about, well, performance! First up, Rick Viscomi writes about the mythical “fast” web page:

How you approach measuring a web page’s performance can tell you whether it’s built for speed or whether it feels fast. We call them lab and field tools. Lab tools are the microscopes that inspect a page for all possible points of friction. Field tools are the binoculars that give you an overview of how users are experiencing the page.

This to me suggests that field tools are the future of performance monitoring. But Rick’s post goes into a lot more depth beyond that.

Secondly, Matt Hobbs wrote about the font-display CSS property and how it affects the performance of our sites:

If you’re purely talking about perceived performance and connection speed isn’t an issue then I’d say font-display: swap is best. When used, this setting renders the fallback font almost instantly. Allowing a user to start reading page content while the webfont continues to load in the background. Once loaded the font is swapped in accordingly. On a fast, stable connection this usually happens very quickly.

My recommendation here would be to care deeply about the layout shift if you use this property. Once the font loads and is swapped out you could create a big shift of text moving all about over the place. I once shipped a change to a site with this property without minding the layout shift and users complained a lot.

It was a good lesson learned: folks sure care about performance even if they don’t say that out loud. They care deeply about “cumulative layout shift” too.

Direct Link to ArticlePermalink


The post Web Performance Calendar appeared first on CSS-Tricks.

You can support CSS-Tricks by being an MVP Supporter.

IF ELSE STATEMENT INSIDE SWITCH CASE

558fe5180e0e8fc922d31c23ef84d240

Hi everyone, I just want to ask if how i am able to make an if else statement inside a switch case. i want to execute something wherein the user may be able to choose again if he/she would like to do another transaction. for example, the user choose Yes the program will automatically display the main menu option and if the user doesn't want another the program will automatically print "Thankyou for using the program"