Sur d’autres sites (10766)

• Evolution #3926 : Remplacement de safehtml par le plug htmlpurifier ou autre

  14 janvier 2019, par Guillaume Fahrner

  Sorry je n’avais pas vu ce message :

  cedric - a écrit :

  Depuis https://core.spip.net/projects/spip/repository/revisions/24131 le plugin HTMLPurifier est fonctionel sans nécessiter de patch dans le core ?

  Malheureusement si : il reste une surcharge de la fonction propre() via inc/texte.php. Elle est utilisée pour réaliser la protection HTML via echappe_html() AVANT le 1er filtrage de sécurité via echapper_html_suspect(). Un deuxième est réalisé via echappe_retour_modeles($t, $interdire_script) ou $interdire_script est vrai en espacé privé ou si le mode parano actif et faux sinon. (Je n’ai pas su faire autrement, mais il y a peut être une astuce a trouver.)

  Je ne sais pas si tu considères que c’est le core mais une surchage des règles YAML de textwheel est également réalisé afin que l’on envoi bien tout qui doit l’être dans les filtres de sécurité.

  Donc non pas de modification du core nécessaire pour que le plugin fonctionne. A voir si ces surcharges mériterais une "intégration directe" future.

  on est bon et on peut release tel quel en indiquant que le plugin htmlpurifier est disponible pour tests et se laisser le temps ?

  A mon avis oui. Pour rappel : le mode parano est actuellement inutilisable avec l’actuel safehtml(). Du coup ça peut être une approche pour l’intégrer/le tester au fil de l’eau : commencé par les gens qui utilisent le mode parano en leur recommandant chaudement/forcant ce plugin.

  Ci dessous la liste des plugins que j’utilise sans problème hors textwheel/todo (cf https://core.spip.net/issues/4254) avec htmlPurifier :

  Abonnements 3.3.6 - stable
  Agenda 3.26.0 - stable
  API de vérification 1.8.1 - stable
  API Prix 0.1.16 - dev
  Article PDF 1.0.10 - stable
  Autorité 0.10.20 - stable
  Banque&paiement 3.6.7 - stable
  Cache Cool 0.5.4 - stable
  Challenge Hacking 1.0.0 - stable
  Champs Extras 3.11.7 - stable
  Chatbox 1.0.5 - stable
  Coloration Code 99 - stable
  Commandes 1.15.5 - stable
  Compositions 3.7.3 - stable
  Crayons 1.26.18 - stable
  CTF all the day 1.0.0 - stable
  Facteur 3.6.2 - stable
  Formulaire de contact avancé 0.16.5 - stable
  Frimousses 1.5.1 - stable
  GIS 4.44.24 - stable
  HTML Purifier 5.0.0.1 - test
  iCalendar 0.4.5 - test
  Import ics 4.4.3 - stable
  Imprimer document 0.2.2 - stable
  LangOnet 1.4.6 - stable
  MailShot 1.27.3 - stable
  MailSubscribers 2.11.3 - stable
  Markdown 1.0.2 - test
  Messagerie 3.1.8 - test
  Mini Calendrier 2.4.1 - stable
  Mot de passe dès l’inscription 1.0.19 - stable
  Newsletters 1.6.0 - stable
  Nombres de visiteurs connectés 0.2.3 - stable
  NoSPAM 1.5.18 - stable
  Notation 2.4.2 - test
  Notifications 3.6.8 - stable
  Notifications avancées 0.4.2 - test
  Pages 1.3.7 - stable
  Pre & Code 99 - test
  Saisies pour formulaires 3.11.1 - stable
  Social tags 1.1.1 - stable
  SPIP Bonux 3.4.6 - stable
  Tip A Friend 1.6.9 - stable
  Todo 2.2.1 - stable
  Traduction entre rubriques 3.1.3 - stable
  YAML 1.5.4 - stable

  Je pense que si on doit intégrer le plugin ça sera sur la version dev 3.3, pas sur la version stable, et ça va demander de prendre le temps de voir toutes les modifs et les impacts éventuels que tu n’aurais pas vu ou auxquelles tu n’aurais pas pensé.

  Clairement je pense me faire insulter :-) Je suis prêt ^^ Plus sérieusement il faut absolument tester/restester/reretester. J’ai tenté de faire au mieux mais je ne peux pas revoir tout le code HTML généré par les plugins... Au moindre écart de conformité HTML ca ne passera pas. Le bug https://core.spip.net/issues/4254 en est un bon exemple : avec htmlpurifier l’élément

  est supprimé ; avec "safehtml() standard" le code invalide est conservé et c’est le navigateur qui va corriger.

  Il faut voir les bons cotés : cela force les bonnes pratiques, met SPIP au plus haut niveau du standard (Drupal fait moins bien), aide a identifier des bugs et ce qui passe dans propre() sera obligatoirement valide. C’est aussi a terme moins de problèmes d’injection XSS a traiter pour la team.

  Sur la fonction de survol des logos le sujet reste ouvert ? On est en effet d’accord que cette écriture est obsolète et devrait être revue de toute façon, mais c’est donc un point à traiter dans le core le cas échéant

  Euh je comprend pas, faut-il intégrer le patch des puces de statut dans ce plugin ? Je pensais plus coder le truc """proprement""" avec un JS dans le directement dans /prive/. A décolérer complètement à mon sens.

  Encore merci pour le temps que tu y passes :)

• Your 6-step guide to increasing acquisition

  2 juillet 2019, par Matomo Core Team — Analytics Tips
  Your 6-step guide to increasing acquisition

  Want to save time and money, as well as increase conversions and acquisition ? Matomo Analytics is here to help with that !

  Let’s start by helping you create a website visitors’ acquisition strategy, without it you might be going in blind and missing opportunities that might’ve been easily found in your metrics.

  To help you craft a strategy for your site, check out the steps below !

  Step one : Get familiar with the Acquisition feature

  The easiest way is to start with Matomo’s Acquisition feature itself. Discover and take action on the marketing channels with the biggest ROI for your business. You’ll learn :

  How to get traffic from external websites : Find out who’s helping you succeed from external websites and convince them to do more of it. Get more traffic by proactively asking for : paid sponsorships ; guest blog posts ; or spending more advertising on the particular website.

  

  About Social Networks : Which social media channels are connecting with the audience you want ? Take the guesswork out by using only the ones you need. By finding out which social channels your ideal audience prefers, you can generate shareable, convincing and engaging content to drive shares and traffic through to your site.

  Campaigns : This helps you understand which marketing campaign is working and which isn’t. You can then shift your efforts to effectively gain more visitors with less costs. Keep track of every ad and content piece you show across internal and external channels to see which has the biggest impact on your business objectives.

  Enhanced SEO : Every acquisition plan needs a focus on maximising your Search Engine Optimization (SEO) efforts. When it comes to getting conclusive search engine referrer metrics, you need to be sure you’re getting ALL the insights to drive your SEO strategy. See keyword position rankings, integrate Google, Bing and Yahoo search consoles, and no longer be restricted with “keyword not defined” showing up in your keywords reports.

  >> Watch Acquisition introduction video (playtime : 2.54 minutes)

  Step two : Set your goals and monitor conversion funnels

  Let the Goals feature guide you

  Goals are essential for building your marketing strategy and getting new customers. The more goals you track, the more you learn about behavioural changes and modify pathways to impact acquisitions over time. 

  Are you checking :

  • Which channels are converting the best for your business ?
  • Which cities/countries are most popular ?
  • What devices will attract the most visitors ?
  • How engaged your visitors are before converting ?

  This way you can see if your campaigns (SEO, PPC, signups, blogs etc.) or optimising efforts (A/B Testing, Funnels) have made an impact with the time and investment you’ve put in.

  >> Watch Goals introduction video (playtime : 2.04 minutes)

  The Funnels feature leads you to success

  Conversion funnels give you the big picture on whether your acquisition plans are paying off and where they may be falling short. If the ultimate goal of your site is to drive conversions, then each funnel can tell you how effectively you’re driving traffic through to your desired outcome.

  >> Watch Funnels introduction video (playtime : 2.29 minutes)

  

  Step three : Measure the success of every touchpoint in your customer’s journey

  Multi Attribution feature

  Accurately identify channels where visitors first engage with your business, as well as the final channel they came from, before purchasing your product/service. This helps you make smarter decisions when determining acquisition spend to accurately calculate the Customer Acquisition Cost (CAC). Here you no longer falsely over-estimate investment in failing marketing channels.

  >> Watch Multi Attribution introduction video (playtime : 2.28 minutes)

  Step four : For ecommerce sites, understand who your customers are to increase sales

  Ecommerce feature to significantly increase $ potential

  If your website’s overall purpose is to generate revenue, the Ecommerce feature gives you comprehensive insights into your customer’s purchasing behaviours.

  This heavily reduces your risks when marketing products to potential customers as you’ll understand who to target, what to target them with and where further opportunities exist.

  >> Watch Ecommerce introduction video (playtime : 2.04 minutes)

  

  Step five : Make sure the forms on your website are easy to complete

  Form Analytics feature

  Once you get visitors through the funnel, the forms on your website are the final step to conversion and need special attention. If not done right, you could be missing out on converting a large portion of your visitors.

  Thankfully, you can now identify and fix pain points on the forms that are most important to your business’ success.

  >> Watch Form Analytics introduction video (playtime : 2.39 minutes)

  

  Step six : Discover what a customer journey looks like on a user-by-user basis and bring in key acquisition elements to your strategy

  Visitor Profiles tell you each visitors’ history

  The Profile feature summarises every visit, action and purchase made.

  Better understand :

  • Why your visitors viewed your website.
  • Why your returning visitors continue to view your website.
  • What specifically your visitors are looking for and whether they found it on your website.

  The benefit is being able to see how a combination of acquisition channels play a part in a single buyer’s journey.

  >> Watch Visitors introduction video (playtime : 1.46 minutes)

  

  To summarise

  This guide will set you on a path to creating a well-planned acquisition strategy. It’s the key to attracting and capturing the attention of potential visitors/leads, and successfully driving them through a funnel/buyer’s journey on your website.

  Because of Matomo’s reputation as a trusted analytics platform, the features above can be used to assist you in making smarter data-driven decisions. You can pursue different acquisition avenues with confidence and create a strategy that’s agile and ready for success, all while respecting user privacy.

• French CNIL recommends Piwik : the only analytics tool that does not require Cookie Consent

  29 octobre 2014, par Matthieu Aubry — Press Releases

  There has been recent and important changes in France regarding data privacy and the use of cookies. This blog post will introduce you to these changes and explain how you make your website compliant.

  Cookie Consent in the data freedom law

  Since the adoption of the EU Directive 2009/136/EC “Telecom Package”, Internet users must be informed and provide their prior consent to the storage of cookies on their computer. The use of cookies for advertising, analytics and social share buttons require the user’s consent :

  It is necessary to inform users of the presence, purpose and duration of the cookies placed in their browsers, and the means at their disposal to oppose it.

  What is a cookie ?

  Cookies are tracers placed on Internet users’ hard drives by the web hosts of the visited website. They allow the website to identify a single user across multiple visits with a unique identifier. Cookies may be used for various purposes : building up a shopping cart, storing a website’s language settings, or targeting advertising by monitoring the user’s web-browsing.

  Which cookies are exempt from the Cookie Consent rule ?

  France has exempted certain cookies from the cookie consent rule : for those cookies that are strictly necessary to offer the service sought after by the user you do not need to ask consent to user. Examples of such cookies are :

  • the shopping cart cookie,
  • authentication cookies,
  • short lived session cookies,
  • load balancer cookies,
  • certain first party analytics (such as Piwik cookies),
  • persistent cookies for interface personalisation.

  Asking users for consent for Analytics (tracking) Cookies

  For all cookies that are not exempted from the Cookie Consent then you will need to :

  • obtain consent from web users before placing or reading cookies and similar technologies,
  • clearly inform web users of the different purposes for which the cookies and similar technologies will be used,
  • propose a real choice to web users between accepting or refusing cookies and similar technologies.

  You don’t need Cookie Consent with Piwik

  The excellent news is that there is a way to bypass the Cookie Consent banner on your website :

  If you are using another analytics solution other than Piwik then you will need to ask users for consent. If you do not want to ask for consent then download and install Piwik or signup to Piwik Cloud to get started.

  If you are already using Piwik you need to do two simple things : (1) anonymise visitor IP addresses (at least two bytes) and (2) include the opt-out iframe solution in your website (learn more).

  Note that these recommendations currently only apply in France, but because the law is European we can expect similar findings in other European countries.

  CNIL recommends Piwik

  We are proud that the CNIL has identified Piwik as the only tool that respects all privacy requirements set by the European Telecom law.

  

  About the CNIL

  The CNIL is an independent administrative body that operates in accordance with the French data protection legislation. The CNIL has been entrusted with the general duty to inform people of the rights that the data protection legislation allows them.

  The role and responsabilities of the CNIL are :

  • to protect citizens and their data
  • to regulate and control processing of personal data
  • to inspect the security of data processing systems and applications, and impose penalties

  Piwik and Privacy

  At Piwik we love Privacy – our open analytics platform comes with built-in Privacy.

  Future of Privacy at Piwik

  Piwik is already the leader when it comes to respecting user privacy but we plan to continue improving privacy within the open analytics platform. For more information and specific ideas see Privacy enhancing issues in our issue tracker.

  References

  Learn more in these articles in French [fr] or English :

  • [fr] Sites web, cookies et autres traceurs
  • [fr] Comment me mettre en conformité avec la recommandation “Cookies” de la CNIL ?
  • [fr] Recommandation sur les cookies : obligations pour les responsables de sites ?
  • CNIL Starts Controlling Cookie Settings in October 2014
  • CNIL recommends Piwik for compliance with data protection laws

  Contact

  To learn more about Piwik, please visit piwik.org,

  Get in touch with the Piwik team : Contact information,

  For professional support contact Piwik PRO.