Switch properly from HTML website to WordPress without hurting Google rankings

My question is about specific technicalities of the switch from HTML website to WordPress. I looked through similar questions but my question still remains.

I think my situation is pretty standard.

I’m about to switch my current HTML website to WordPress. My website has been up since 2006.

Main details of the transition:

-My current site is in the /public folder

-Most pages have .php extension

-The WordPress folder is /clickandbuilds/mywebsite (WordPress.org, hosted by 1&1)

-I’ll also need to do 301 redirects for all .php pages to the WP pages

I guess my main question is the following:

Is it safe to just switch my domain from the /public folder to the WordPress folder once everything is ready? I assume it’s a standard procedure – but still wanted to get a second opinion.

Thanks, Leo

Attacking through a malicious HTML file apart from XSS through Javascript

I recently came across a behavior in a web application where the application (through the use of the header ‘Content-Disposition: attachment’) offers to download an HTML file instead of allowing it to get parsed by the browser. Interestingly, the GET requests to the URL that lets you download the HTML page passes the absolute path of the HTML file that will be downloaded – starting all the way from /usr/local....<snip>/public/mypage.html . If an attacker has the privilege to upload an HTML file to this location (public), apart from an XSS attack, what else can he/she do on the machine of a victim who downloads and open the HTML file crafted by the attacker.

I am aware of the XSS attacks , that one can do by injecting some malicious Javascript in the HTML file. Would like to know what else an attacker can get done outside of Javascript XSS attacks.

Is unicode character encoding a safe alternative for html encoding when rendering unsafe user input to html?

I am building a web application in which a third party library is used, which transforms the user input into JSON and sends it to an controller action. In this action, we serialize the input using the standard Microsoft serialize from the System.Text.Json namespace.

public async Task<IActionResult> Put([FromBody]JsonElement json) {     string result = JsonSerializer.Serialize(json); } 

However currently, the json is rendered back to the page, within a script block and using @Html.Raw(), which raised an alarm with me, when I reviewed the code.

While testing if this creates an opening for script injection, I added

<script>alert("HACKED");</script> 

to the input. This input is transformed into

\u003Cscript\u003Ealert(\u0027HACKED\u0027);\u003C/script\u003E 

when serialized.

This look fine. Rendering this to the page does not result code execution, when I tested that.

So, is unicode character encoding really a good protection against script injection, or should I not rely on it?

Is it conceivable that unicode encoding is lost somewhere during processing? Like (de)serializing once more, etc?

This seems like a question that has been asked and answered before, but I couldn’t find it.

Google Search Console cannot read my XML: Sitemap appears to be an HTML page

I’m working on a web application written with AngularJS (v8) and deployed on an apache2 using proxy to forward requests (frontend, api, backoffice).

My problem is that I’m trying to submit the sitemap ({website}/sitemap.xml) on Google, but Google Search Console keep saying that it’s not valid: Google can read the link but it seem to be in HTML

gsc

My sitemap: sitemap

I tried to validate that XML on many website and I didn’t find any error.

I mentioned apache2 because maybe when Google try to fetch the URL, before finding the XML, apache give another page but I cannot prove that. I tried in many ways and the first page that I see when opening the URL is the sitemap and nothing else.

In my angular.json I added the file in the assets as follow:

"assets": ["src/favicon.ico", "src/assets", "src/sitemap.xml"],

What it can be?

Thank you

Hooking into the HTML header container

I’m trying to hook into the header.php of wordpress theme(s) more specifically, right before the closing header tag </header>. I’d like to do this in a programmatic way so when I switch themes I don’t have to remember to go include the method of a custom hook <?php my_cool_hook(); ?>

Is there a way to accomplish this? I’ve tried looking through the available actions but so far I haven’t found any that would suite my needs.

Thanks.

HTML designed Email for SEO Services

Can you please tell me or suggest me or Make one for an EMAIL Template for Giving out "SEO Services Reports "to CLients..

MY Email is like this Below..

So, what type of HTML template I can use for it..

"""

Iwood Furniture,

I have seen that you deal with All Types of Furniture and have an online portal as well to brief people about your company. What I have to offer you is, Some of My Services in order for you to see a clear picture of your Website and where you stand…

HTML designed Email for SEO Services

Does the re-use of HTML email newsletter content for blog posts have SEO (or other) repercusions?

I am (in parallel) building both a newsletter subscriber list (using Mailchimp) and also a blog website (using WordPress). I want to be as efficient as possible with the use of my content / copy. I would like to send out newsletters to subscribers first and then re-use the content for time delayed blog postings. Using a WordPress plugin such as ‘postie’ I can easily send an email directly to my website that is then entered into my blog post stream automatically. If I prepare the styling of my email appropriately in Mailchimp, the posting should look like native content on my website.

However, my current understanding is that robust HTML emails tend to use A LOT of tables to force the email client to render the email correctly. Also, they tend to use A LOT of inline CSS and the like. If I simply insert this into my blog stream the website HTML is going to get ‘ugly’ and likely slow to load.

But, does this actually matter? Will webcrawlers & search engines have a tantrum?

If I need to avoid this scenario, should I search for a solution (hopefully not manual re-coding) that creates two versions of the HTML: one for newsletter use; one for blog stream insertion?

I really want to avoid the manual effort of having to create two versions of the HTML content from scratch each time.

Many thanks in advance for any thoughts, advice and suggestions you can offer.

[ If it is of any interest / relevance, you can visit my fledgling blog site at https://charlesgull.mobi ]

DOM Based XSS and Adding HTML Elements

So as a rule of thumb I once learned that adding or removing HTML with JavaScript/JQuery (.html(),.append(), etc) leaves yourself wide open for DOM Based XSS Attacks. It is now my understanding that this is not 100% true. Supposedly there is a correct and safe way to add/remove HTML with JavaScript. I am hoping to learn some on what this “correct way” may be.

So as an example lets say I have an input filed that allows a user to append an item to a list. In this case the input would also be added to an array to be sent in future requests. Additionally this list would have a button to remove said item from that list. In an insecure environment we might do something like the following (negating array):

var list = $  ("#my_list");  $  ("#add_btn").on("click", function(){     let input = $  ("#input_field").val();     list.append(         '<li>'+input+' <button>Remove</button></li>'     ); });   $  ("#my_list").on("click", "button", function(){     $  (this).closest("li").remove(); }); 

How might one do the same but without the threat of XSS?