release: v1.8.8 — security (macro reject) + consent gate fix#55
Merged
Conversation
Two real fixes pulled from the long-stashed pre-7.0 WIP (most of which
was CRLF/LF re-encoding noise — see triage report at
vault/Hugo OS/01-projects/clicktrail/wip-triage-2026-05-28/).
SECURITY: reject unsubstituted ad-platform dynamic parameter macros.
Facebook {{campaign.name}}, {{adset.name}}, {{ad.name}}, etc. appear
literally in landing-page URLs when ads aren't served through the ad
platform (manual preview, test traffic, mis-configured campaigns).
Without filtering, these placeholders flow into attribution storage
and downstream destinations as if they were real campaign names.
- includes/Core/class-attribution-provider.php — regex reject in the
server-side sanitize loop.
- assets/js/clicutcl-attribution.js — mirror the regex in
sanitizeValue() so the client-side capture also drops macros.
FIX: consent gate no longer defaults to ON when Consent Mode is disabled.
Two paths previously read a legacy `require_consent` option from
Attribution_Settings, defaulting to TRUE when unset. The setting was
removed from the admin UI several releases ago, so on any site without
Consent Mode + a CMP, the implicit-true default silently blocked all
attribution from being persisted.
- includes/Core/class-attribution-provider.php :: should_populate() —
drop the option read; the only path that requires consent now is
when Consent Mode is explicitly enabled.
- includes/class-clicutcl-core.php :: build_consent_bridge_config —
same change in the bridge config builder; explicit else-branch
documents why the default flips to false here.
HOUSEKEEPING: GTM Starter Kit lead magnet runtime path commented out.
The kit is being distributed via the website rather than the in-plugin
banner. Class file kept in includes/admin/ for re-activation later;
init() call disabled in includes/class-clicutcl-core.php and the
source files added to .distignore so they're not bundled in release
zips.
OTHER: .distignore expanded to drop README.md, dist/, dev logos, GTM
reference files (shopify-gtm-container-templates-master, gtm-starter-kit.json,
build-starter-kit.py) from WP.org SVN trunk.
Co-Authored-By: claude-flow <ruv@ruv.net>
Same {{...}} regex rejection as f838a35 but on the client-side capture
path. Drops unsubstituted ad-platform macros before they're written to
localStorage or sent to the REST batch endpoint.
Co-Authored-By: claude-flow <ruv@ruv.net>
- clicutcl.php Version + CLICUTCL_VERSION: 1.8.7 → 1.8.8 - readme.txt == Changelog ==: new `= 1.8.8 =` block (security + fix + housekeeping) - changelog.txt: prepend full 1.8.8 entry with file refs and rationale Stable tag stays at 1.8.2 per RELEASING.md (bumped at SVN push time). Co-Authored-By: claude-flow <ruv@ruv.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Two real unshipped fixes were buried in the long-stashed pre-7.0 WIP (the rest of the stash was 42 files of CRLF/LF re-encoding noise — see triage report at `vault/Hugo OS/01-projects/clicktrail/wip-triage-2026-05-28/triage-report.md`):
Plus housekeeping: GTM Starter Kit lead-magnet banner is now distributed via the marketing site, so the in-plugin banner is disabled.
Approach
Cherry-picked the four real SHIP-bucket files from the triage. Did not replay the stash — the CRLF re-encoding would have trashed the worktree.
Affected Surfaces
Compatibility / Migration Notes
Behavior change: sites currently relying on the legacy `require_consent` option to block attribution will now allow attribution by default unless Consent Mode is explicitly enabled. The legacy field has been hidden from the admin UI since 1.6.x, so this aligns runtime behavior with the documented UX.
Sites running Consent Mode are unaffected — the consent decision still routes through `Consent_Mode_Settings::is_consent_required_for_request()`.
Tests / Checks Run
Docs Updated
`readme.txt` + `changelog.txt` only.
Changelog / Readme Impact
This IS the changelog impact PR. Stable tag stays at 1.8.2 until WP.org SVN push.
Source
Stashed WIP (pre-7.0-audit) — preserved as `stash@{0}`. Drop after merge.