@@ -4,6 +4,140 @@ All notable changes to EngineScript will be documented in this file.
44
55Changes are organized by date, with the most recent changes listed first.
66
7+ ## 2025-11-17
8+
9+ ### 🔒 SECURITY: Enhanced Feed Sanitization and XXE Protection
10+
11+ ** Strengthened security** for external feed parsing with multi-layer sanitization and XML exploit protection
12+
13+ #### Security Improvements
14+
15+ ** New ` sanitizeFeedText() ` Function:**
16+ - ** HTML Entity Decoding** - Handles encoded entities (` < ` , ` > ` , etc.) before stripping tags
17+ - ** Tag Stripping** - Removes all HTML tags from feed content
18+ - ** Null Byte Removal** - Eliminates null bytes that could enable SQL injection
19+ - ** Whitespace Normalization** - Prevents formatting-based exploits
20+ - ** HTML Encoding** - Re-encodes special characters for safe JSON output
21+
22+ ** XML External Entity (XXE) Protection:**
23+ - ` libxml_disable_entity_loader(true) ` - Prevents external entity attacks
24+ - ` LIBXML_NOENT ` flag - Disables entity substitution
25+ - ` LIBXML_NOCDATA ` flag - Handles CDATA sections safely
26+
27+ ** Applied Globally:**
28+ - All 11 feed parsing functions now use ` sanitizeFeedText() `
29+ - RSS/Atom feeds (parseStatusFeed)
30+ - JSON APIs (Google Workspace, Wistia, Vultr, Postmark, StatusPage.io)
31+
32+ #### Impact
33+
34+ - ✅ ** Zero SQL Injection Risk** - No database interactions exist
35+ - ✅ ** XSS Prevention** - All output properly encoded for JSON
36+ - ✅ ** XXE Protection** - XML exploits blocked at parser level
37+ - ✅ ** Injection Prevention** - Multi-layer sanitization on all external content
38+ - ✅ ** Safe Output** - All text properly escaped before JSON encoding
39+
40+ #### Technical Details
41+
42+ ** Before:**
43+ ``` php
44+ $status['description'] = strip_tags($title);
45+ ```
46+
47+ ** After:**
48+ ``` php
49+ $status['description'] = sanitizeFeedText($title);
50+
51+ function sanitizeFeedText($text) {
52+ $text = html_entity_decode($text, ENT_QUOTES | ENT_HTML5, 'UTF-8');
53+ $text = strip_tags($text);
54+ $text = str_replace("\0", '', $text);
55+ $text = preg_replace('/\s+/', ' ', $text);
56+ $text = trim($text);
57+ $text = htmlspecialchars($text, ENT_QUOTES | ENT_HTML5, 'UTF-8', false);
58+ return $text;
59+ }
60+ ```
61+
62+ ---
63+
64+ ### ✨ NEW SERVICES: Added 8 Email Service Providers to External Services Dashboard
65+
66+ ** Added comprehensive email service monitoring** for popular transactional and marketing email platforms
67+
68+ #### New Services Added
69+
70+ ** Email & Communication Category:**
71+ - ** SparkPost** - ` https://status.sparkpost.com/ `
72+ - ** Zoho** - ` https://status.zoho.com/ `
73+ - ** Mailjet** - ` https://status.mailjet.com/ `
74+ - ** MailerSend** - ` https://status.mailersend.com/ `
75+ - ** Resend** - ` https://resend-status.com/ `
76+ - ** SMTP2GO** - ` https://smtp2gostatus.com/ `
77+ - ** SendLayer** - ` https://status.sendlayer.com/ `
78+
79+ ** Note:** Mailchimp was initially added but removed - their status page (` https://status.mailchimp.com/ ` ) does not provide a public API or RSS/Atom feed.
80+
81+ ** Hosting & Infrastructure Category:**
82+ - ** GoDaddy** - ` https://status.godaddy.com/ ` (StatusPage API)
83+
84+ #### Implementation Details
85+
86+ ** Frontend (` external-services.js ` ):**
87+ - Added 8 email service definitions with appropriate icons and feed configurations
88+ - SparkPost, Zoho, Mailjet, MailerSend, Resend, SMTP2GO, SendLayer use RSS/Atom feeds
89+ - GoDaddy uses StatusPage.io JSON API (CORS-enabled)
90+
91+ ** Backend (` external-services-api.php ` ):**
92+ - Added 7 feed URLs to ` $allowedFeeds ` whitelist
93+ - Feed mappings: sparkpost, zoho, mailjet, mailersend, resend, smtp2go, sendlayer
94+
95+ ** Styling (` external-services.css ` ):**
96+ - Added brand-specific color gradients for all 8 services
97+ - SparkPost (orange), Zoho (red), Mailjet (orange), MailerSend (blue)
98+ - Resend (black), SMTP2GO (blue), SendLayer (cyan), GoDaddy (teal)
99+
100+ #### Impact
101+
102+ - ✅ Comprehensive email service provider monitoring (8 services)
103+ - ✅ Coverage for transactional email (Resend, SendLayer, SMTP2GO, SparkPost)
104+ - ✅ Marketing platform monitoring (Zoho)
105+ - ✅ Enterprise email services (SparkPost, Mailjet, MailerSend)
106+ - ✅ Domain/hosting monitoring (GoDaddy)
107+
108+ ---
109+
110+ ### 🔧 VERSION CONTROL: Restricted Font Awesome Updates to 7.0.x Branch
111+
112+ ** Prevented automatic updates** to Font Awesome 7.1.x due to CDN availability issues
113+
114+ #### Problem
115+
116+ - Version checker was fetching latest release (7.1.0)
117+ - Font Awesome 7.1.0 not available on CDN (cdnjs.cloudflare.com)
118+ - Caused ORB (Origin Request Blocked) errors in dashboard
119+ - Need to stay on stable 7.0.x branch until 7.1.x available on CDN
120+
121+ #### Changes Made
122+
123+ ** ` .github/workflows/software-version-check.yml ` :**
124+ - Changed from ` /releases/latest ` to ` /releases ` endpoint
125+ - Added jq filter: ` select(.tag_name | test("^7\\.0\\.[0-9]+$")) `
126+ - Now only detects and updates to 7.0.x patch releases
127+ - Will auto-update to 7.0.2, 7.0.3, etc. when released
128+
129+ ** ` README.md ` :**
130+ - Corrected Font Awesome version from 7.1.0 → 7.0.1
131+
132+ #### Impact
133+
134+ - ✅ Prevents automatic updates to unavailable CDN versions
135+ - ✅ Will auto-update within 7.0.x patch releases
136+ - ✅ Maintains dashboard stability and reliability
137+ - ✅ Can manually update to 7.1.x when CDN availability confirmed
138+
139+ ---
140+
7141## 2025-11-14
8142
9143### ⚡ PERFORMANCE: Increased Timeouts for Slow External Service Feeds
@@ -38,7 +172,7 @@ Changes are organized by date, with the most recent changes listed first.
38172#### Feature
39173
40174- ** Category-Level Controls** : Each category header now includes a "Toggle All" button
41- - ** Smart Toggle Logic** :
175+ - ** Smart Toggle Logic** :
42176 - If any services in category are unchecked → enables all
43177 - If all services are checked → disables all
44178- ** Visual Feedback** : Button icon changes between check-square and square based on state
@@ -294,6 +428,7 @@ async loadExternalServices() {
294428#### False Positives Documented
295429
296430Created ` .codacy-review-notes.md ` documenting 11 false positive warnings:
431+
297432- CSRF warnings on GET requests (read-only operations, no state modification)
298433- WordPress-specific warnings (` wp_unslash ` ) on non-WordPress code
299434- ` file_get_contents() ` warnings for legitimate outbound HTTP API calls with timeout protection
@@ -303,6 +438,7 @@ Created `.codacy-review-notes.md` documenting 11 false positive warnings:
303438#### Codacy Configuration
304439
305440Created ` .codacy.yml ` to suppress expected API endpoint patterns:
441+
306442- ** Excludes WordPress core files** (` wp-config.php ` ) - not under our control
307443- ** Excludes API files** from WordPress-specific rules (nonce verification, wp_unslash)
308444- ** Allows required functions** in API endpoints: ` header() ` , ` echo ` , ` exit ` , ` die `
@@ -312,6 +448,7 @@ Created `.codacy.yml` to suppress expected API endpoint patterns:
312448- ** Module inclusion allowed** : ` require_once ` with ` __DIR__ ` constant (hardcoded paths)
313449
314450Added inline ` @codacy suppress ` comments for all 14 legitimate API patterns:
451+
315452- 11 suppressions in ` external-services-api.php ` (die, echo, exit, file_get_contents, stream_context_create)
316453- 1 suppression in ` api.php ` (require_once for module inclusion)
317454- All suppressions include clear explanations of why the pattern is necessary and safe
0 commit comments