Tomorrow, following final feedback from a handful of our customers, we are releasing Matador Jobs 3.5.4. It contains a handful of changes, including two security updates and a handful of bugfixes that improve the stability of Matador.
Edit Friday, December 13, 2019 16:30: During final testing and feedback, we discovered continued issues around one of the bug fixes included in this release. This feedback was able to, we believe, finally quash this bug. That said, since everyone is going home for the weekend, we will be delaying distribution of this update until Wednesday, December 18th.
Security is important to us at Matador Software. While no code written is perfectly secure, we do our very best to follow best practices related to security and always research and question major decisions we make. We’ve also had our code reviewed by many developers who give us feedback and generally agree: Matador was made with security in mind. That said, we do find opportunities for improvement, and this hotfix release contains two security updates we feel will make your site safer:
“Message to Recruiters” No Longer Accepts HTML
We always envisioned the “Message to Recruiters” optional application field to be used also by businesses seeking to allow copy/paste HTML or Text resumes. That said, we’ve actually never seen anyone deploy Matador in this way.
A client reported a spam application submission where the spammer was able to use HTML to mask a dangerous URL as a clickable section of text that did not appear to be a link (text was black and not underlined). The client did not click the link, but we agreed with them: that is not okay.
For your safety and security, the “Message to Recruiters” field will now remove all HTML. If you want or need a field where a user can submit HTML, eg: an HTML resume and/or code answer, let us know and we can help you create a custom field with that functionality.
Search Terms Sanitization Hardened
The search form submissions use HTTP GET requests, which appends search parameters to the URL. This is so you and your users can share specific searches with others. When investigating an issue a client was experiencing that ultimately was unrelated to Matador, we did find an a place where we felt we could improve the security of this functionality. We believe that there was not technically an exploitable opportunity for hackers, but we’d rather add an extra layer of safety where it seems prudent, and did just that.
In addition to those two important security changes, we also included 6 bugfixes in this release:
- Fixed an issue where if an applicant put more than one space in their name, their application could fail in two ways, first in preventing a duplicate, and second in saving altogether. Protections were put in place to remove unnecessary spaces prior to processing a compound name.
- Fixed an issue where a parsed resume might contain an empty “skills” object, which was causing some aspects of the Matador application processing to fail. We added protections to prevent failure and handle the empty skills object gracefully.
- Fixed an issue causing Application Syncs to continue syncing to Bullhorn even when the setting was set to “off.” Oops! Fixed!
- Fixed an issue where security escaping for the search form shortcode was too strong and disrupted the expected output. We were escaping output three times, and one of those escaping procedures was breaking the search form when a certain combination of options were selected. (See, sometimes we’re so security conscious we break things in the name of safety!)
- Users of our WP Job Manager add-on will note that we removed options related to JSON+LD because WP Job Manager handles it separately. The settings could be set, but were ignored, so to prevent confusion, they were removed.
- Users of our WP Job Manager add-on will also note new settings related candidate and recruiter email notifications were added. These options existed in Matador but were not being offered to WPJM users due to a bug.
Other Notable Changes:
- Two new filters were added to allow for more granular handing of job data on a sync. One filter, related to the same behaviors, recently added in 3.5.0, was also deprecated and replaced with a more descriptively named filter. This replacement, however, inverted the boolean. The old version’s default was a false, while the new version is a true. Deprecation handling was added so if you were using it, there is no need for a change to your code any time soon.
- The connection assistant offered an option to use the WEST USA 50 cluster. Unlike every other API datacenter, which even if not associated with your account, could be logged into and otherwise work as expected, WEST USA 50 could not be logged into. We theorize it is because you must be on WEST USA 50 to log in. We’ve temporarily disabled this option until a user associated with WEST USA 50 can help us test the option.
- We improved descriptions of the setting on the options page related to when applications are processed.
- We improved documentation in the template-functions.php file, which is a go-to file for developers implementing Matador. It is our most documented file, and we are constantly working to improve it so your developers are able to easily implement Matador.