Merge pull request #55 from vizuh/agent/release-1.8.8-prep

Atroci · web-flow · commit fbfe066e5cc8 · 2026-05-28T17:29:20.000+02:00
release: v1.8.8 — security (macro reject) + consent gate fix
diff --git a/.distignore b/.distignore
@@ -44,11 +44,25 @@ RELEASING.md
 
 # Dev README variants (non-English kept out of WP.org trunk)
 README.en.md
+README.md
 README.pt-BR.md
 readme_header_update.txt
 
+# Dev assets not used in production
+assets/funnelsheet-logo.png
+
 # Internal docs
 docs/
 
 # Build tools and dev scripts
 tools/
+
+# Release artefacts (zip archives, release notes)
+dist/
+
+# GTM reference / dev files
+assets/GTM-*.json
+assets/gtm-starter-kit.json
+assets/shopify-gtm-container-templates-master/
+assets/build-starter-kit.py
+includes/admin/class-gtm-lead-magnet.php
diff --git a/assets/js/clicutcl-attribution.js b/assets/js/clicutcl-attribution.js
@@ -99,6 +99,10 @@
         let s = String(value);
         s = s.replace(/[\u0000-\u001F\u007F]/g, ' ').trim();
         if (!s) return '';
+        // Reject unsubstituted ad-platform dynamic parameter macros, e.g.
+        // Facebook {{campaign.name}}, {{adset.name}}, {{ad.name}}, etc.
+        // These appear literally in URLs when not served through the ad platform.
+        if (/^\{\{.+\}\}$/.test(s)) return '';
         if (s.length > maxLen) s = s.slice(0, maxLen);
         return s;
     }
diff --git a/changelog.txt b/changelog.txt
@@ -1,6 +1,14 @@
 Changelog
 ========
 
+= 1.8.8 =
+*   **Security: reject ad-platform macros in attribution capture** (`includes/Core/class-attribution-provider.php`, `assets/js/clicutcl-attribution.js`): Facebook (and other ad platforms') dynamic parameter macros — `{{campaign.name}}`, `{{adset.name}}`, `{{ad.name}}`, `{{placement}}`, etc. — appear literally in landing-page URLs when ads aren't actually served through the ad platform (manual preview, test traffic, misconfigured campaigns). Previously these unsubstituted placeholders flowed into the `wp_clicktrail_*` attribution tables and downstream destinations (GA4, Meta CAPI, Google Ads conversions) as if they were real campaign / adset / ad names, polluting reports. Now rejected via `^\{\{.+\}\}$` regex in both the server-side sanitize loop in `Attribution_Provider::sanitize_meta()` and the client-side `sanitizeValue()` helper. The two implementations are intentionally symmetric so both capture paths (REST batch + server-side enrichment) drop these strings.
+*   **Fix: consent gate no longer defaults to ON when Consent Mode is disabled** (`includes/Core/class-attribution-provider.php` `should_populate()`, `includes/class-clicutcl-core.php` `build_consent_bridge_config()`): Two paths previously read a `require_consent` option from `Attribution_Settings::get_all()`, defaulting to `true` when the option was unset. The legacy `require_consent` field was removed from the admin UI several releases ago, so on every site without Consent Mode + an active CMP, the implicit-true default silently blocked all attribution from being persisted. Both call sites now: (a) only consult Consent Mode when explicitly enabled, and (b) default to `false` (no gate) when Consent Mode is disabled. Sites running Consent Mode are unaffected — the consent decision still routes through `Consent_Mode_Settings::is_consent_required_for_request()`.
+*   **Housekeeping: GTM Starter Kit lead-magnet banner disabled at runtime** (`includes/class-clicutcl-core.php` `init_modules()`, `.distignore`): The GTM Starter Kit is now distributed via the marketing site rather than as an in-plugin banner. `GTM_Lead_Magnet::init()` runtime call commented out; the class file (`includes/admin/class-gtm-lead-magnet.php`), the kit JSON (`assets/gtm-starter-kit.json`), the build helper (`assets/build-starter-kit.py`), and the Shopify GTM templates dir (`assets/shopify-gtm-container-templates-master/`) added to `.distignore` so they're excluded from the WP.org SVN release. The class file stays in the repo for future re-activation.
+*   **`.distignore` cleanup**: Also added `README.md`, `dist/`, `assets/funnelsheet-logo.png`, and `assets/GTM-*.json` to the WP.org-SVN exclude list. These were leaking into prior releases without serving any user-facing purpose.
+
+Source: triage of the stashed pre-7.0 WIP — vault `01-projects/clicktrail/wip-triage-2026-05-28/triage-report.md`. The stash also carried 42 files of pure CRLF→LF re-encoding noise (no semantic intent), which is deliberately not applied. The triage agent's analysis is the authoritative record of why those files are out.
+
 = 1.8.7 =
 *   **Brazilian Portuguese (pt_BR) translations refreshed** (`languages/click-trail-handler-pt_BR.po`, `languages/click-trail-handler-pt_BR.mo`): The pt_BR `.po` file was last regenerated at v1.5.2 (POT-Creation-Date 2025-12-26) and was missing every translatable string added in the 9 subsequent releases (1.6.0 → 1.8.6). Regenerated POT from current source via `xgettext` over PHP (`clicutcl.php`, `uninstall.php`, `includes/**.php`) and JS (`assets/js/*.js`) with the standard WP translation keyword set; merged into the existing pt_BR.po preserving prior translations; filled the new untranslated entries via AI translation pass; recompiled `.mo`. Final state: 533 fully-translated strings + 81 carried-over strings flagged `fuzzy` for human review where the source msgid changed since the original translation was made.
 *   **German (de_DE) translations added** (`languages/click-trail-handler-de_DE.po`, `languages/click-trail-handler-de_DE.mo`): First locale beyond Portuguese. Generated `de_DE.po` template from the regenerated POT via `msginit --locale=de_DE`; AI-translated all 614 strings with a formal-business register (Sie-form); recompiled `.mo`. Tech terms (ClickTrail, WooCommerce, GTM, GA4, UTM, sGTM, Click IDs), printf placeholders, and HTML tags preserved verbatim.
diff --git a/clicutcl.php b/clicutcl.php
@@ -3,7 +3,7 @@
  * Plugin Name: ClickTrail – UTM, Click ID & Ad Tracking (with Consent)
  * Plugin URI:  https://github.com/vizuh/click-trail-handler
  * Description: Consent-aware marketing attribution for WordPress. Captures UTMs, click IDs, and referrers, enriches WooCommerce orders and forms, collects browser events, and supports optional server-side delivery.
- * Version:     1.8.7
+ * Version:     1.8.8
  * Author:      Vizuh
  * Author URI:  https://vizuh.com
  * License:     GPL-2.0-or-later
@@ -20,7 +20,7 @@
 }
 
 // Define Constants
-define( 'CLICUTCL_VERSION', '1.8.7' );
+define( 'CLICUTCL_VERSION', '1.8.8' );
 define( 'CLICUTCL_DIR', plugin_dir_path( __FILE__ ) );
 define( 'CLICUTCL_URL', plugin_dir_url( __FILE__ ) );
 define( 'CLICUTCL_BASENAME', plugin_basename( __FILE__ ) );
diff --git a/includes/Core/class-attribution-provider.php b/includes/Core/class-attribution-provider.php
@@ -159,8 +159,7 @@ public static function get_payload() {
 	 * @return bool
 	 */
 	public static function should_populate() {
-		$options         = Attribution_Settings::get_all();
-		$require_consent = isset( $options['require_consent'] ) ? (bool) $options['require_consent'] : true; // Default to true for safety.
+		$require_consent = false; // Default: no consent gate unless Consent Mode is explicitly enabled.
 		$cookie_name     = 'ct_consent';
 
 		if ( class_exists( 'CLICUTCL\\Modules\\Consent_Mode\\Consent_Mode_Settings' ) ) {
@@ -224,7 +223,14 @@ public static function sanitize( $data ) {
 
 			// Handle simple values only; no nested arrays expected in flattened payload.
 			if ( is_scalar( $value ) ) {
-				$sanitized[ $meta_key ] = sanitize_text_field( $value );
+				$clean = sanitize_text_field( $value );
+				// Reject unsubstituted ad-platform dynamic parameter macros, e.g.
+				// Facebook {{campaign.name}}, {{adset.name}}, {{ad.name}}, etc.
+				// These appear literally in URLs when not served through the ad platform.
+				if ( preg_match( '/^\{\{.+\}\}$/', $clean ) ) {
+					continue;
+				}
+				$sanitized[ $meta_key ] = $clean;
 			}
 		}
 
diff --git a/includes/class-clicutcl-core.php b/includes/class-clicutcl-core.php
@@ -143,10 +143,11 @@ private function define_admin_hooks() {
 			$wc_admin->init();
 		}
 
-		// GTM Starter Kit lead magnet — settings-page banner after first order tracked.
-		if ( class_exists( 'CLICUTCL\\Admin\\GTM_Lead_Magnet' ) ) {
-			\CLICUTCL\Admin\GTM_Lead_Magnet::init();
-		}
+		// GTM Starter Kit lead magnet — disabled in 1.8.8; kit offered on the website instead.
+		// Reactivate when in-plugin distribution is ready.
+		// if ( class_exists( 'CLICUTCL\\Admin\\GTM_Lead_Magnet' ) ) {
+		// 	\CLICUTCL\Admin\GTM_Lead_Magnet::init();
+		// }
 	}
 
 	/**
@@ -352,9 +353,14 @@ private function build_consent_bridge_config( array $options, bool $debug_active
 		$gcm_analytics_key    = isset( $consent_settings['gcm_analytics_key'] ) ? sanitize_key( (string) $consent_settings['gcm_analytics_key'] ) : 'analytics_storage';
 		$gcm_analytics_key    = '' !== $gcm_analytics_key ? $gcm_analytics_key : 'analytics_storage';
 		$bridge_debug         = (bool) $debug_active || ( defined( 'WP_DEBUG' ) && WP_DEBUG );
-		$require_consent      = isset( $options['require_consent'] ) ? (bool) $options['require_consent'] : true;
 		if ( $enable_consent ) {
+			// Consent Mode is active — delegate entirely to the configured mode/region logic.
 			$require_consent = $consent_settings_obj->is_consent_required_for_request();
+		} else {
+			// Consent Mode is disabled — never gate attribution on a legacy hidden setting.
+			// The legacy `require_consent` field is no longer exposed in the UI, so silently
+			// defaulting it to true would block all attribution for sites without a CMP.
+			$require_consent = false;
 		}
 
 		return array(
diff --git a/readme.txt b/readme.txt
@@ -212,6 +212,11 @@ Yes. ClickTrail can listen to its own banner, Cookiebot, OneTrust, Complianz, GT
 
 == Changelog ==
 
+= 1.8.8 =
+*   **Security**: Reject unsubstituted ad-platform dynamic-parameter macros (Facebook `{{campaign.name}}`, `{{adset.name}}`, etc.) during attribution capture. These placeholders appear literally in landing-page URLs when ads aren't served through the ad platform, and previously flowed into attribution storage and downstream destinations as if they were real campaign names. Applied to both PHP server-side sanitizer and the client-side `sanitizeValue()` helper.
+*   **Fix**: Consent gate no longer defaults to ON when Consent Mode is disabled. Two paths previously read a removed legacy `require_consent` option (default TRUE) — on any site without Consent Mode + a CMP, that implicit default silently blocked all attribution. Now the gate is only active when Consent Mode is explicitly enabled.
+*   **Housekeeping**: GTM Starter Kit lead-magnet banner disabled in-plugin; the kit is now distributed via the website. The class file stays for future re-activation; the runtime init() call is commented out and the source files added to `.distignore` so they're not bundled in the WP.org SVN release.
+
 = 1.8.7 =
 *   **Brazilian Portuguese (pt_BR) translations refreshed**: Regenerated from current source code (was last updated at v1.5.2). 533 strings translated, 81 strings carried over from the prior translation but flagged for human review where the underlying source string changed.
 *   **German (de_DE) translations added**: Full translation of all 614 strings — first locale beyond Portuguese.
