#50201 closed defect (bug) (invalid)
SSL compromised by mixed content due to outdated links in the installed code
Reported by: | balwuw | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Themes | Keywords: | |
Focuses: | Cc: |
Change History (5)
#1
follow-up:
↓ 2
@
4 years ago
- Keywords has-privacy-review needs-refresh removed
- Severity changed from critical to normal
- Version 5.4.1 deleted
#2
in reply to:
↑ 1
@
4 years ago
- Summary changed from SSL compromised by outdated links to SSL compromised by mixed content due to outdated links in the installed code
Replying to audrasjb:
get_template_directory_uri()
function handles SSL and returnshttps
link if the website useshttps
.
Hi @audrasjb, thanks for looking into this.
Well, the bug is that it doesn’t. Despite siteurl
and home
are both https
, internal images are given http
URLs, making for mixed content breaking the security.
BTW I’ve come here because that is not a support question. The bug is built into new WordPress instances of latest version. Countless pointless http
URLs are found in the code, even http://wordpress.org
in the Powered by:
link showing up on every single page.
To fix this, we can do the following:
In wp-content/themes/catch-everest/inc/panel/theme-options.php
1241 http://
➔ https://
1251 http://
➔ https://
In wp-content/themes/catch-everest/header.php
39 http://
➔ https://
Still the get_template_directory_uri()
function remains unfixed for now.
Countless sites all over the web are broken because of that outdated code delivered when installing. IMO that is really a critical
issue.
#3
@
4 years ago
The get_template_directory_uri()
function sometimes handles SSL, e.g. when occurring for thumb images, and sometimes it doesn’t handle SSL, e.g. when it comes to slider images. Bottom line: it doesn’t handle SSL properly.
#4
@
4 years ago
- Component changed from General to Themes
- Keywords reporter-feedback removed
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
Hello @balwuw, thanks for the additional info.
Unfortunately it looks like your theme doesn't handle this properly. For support please try contacting the author of the theme or use our support forums.
Please feel free to reopen if you can reproduce the issue with all plugins disabled and a default theme activated.
#5
@
4 years ago
Hi @ocean90, thank you for getting it to the point.
While ready to try out one of the installed default themes, thankfully Catch Everest offered a new version, that removes the sample images for an easy fix of the problem in generating the image URLs, upgrades the theme credit to an https
link, and drops the “Powered by:” credit.
Adding an image—actually a backup of the Mount Everest—doesn’t break the page, as the image gets a properly generated https
URL.
Hi @balwuw and welcome to WordPress Trac, thanks for opening a ticket,
However, I'm not sure to understand what is the exact issue here.
get_template_directory_uri()
function handles SSL and returnshttps
link if the website useshttps
.