Script tags in custom field not working after update

This topic contains 10 replies, has 4 voices, and was last updated by  Alex Rollin 5 years, 1 month ago.

We have moved to a support ticketing system and our forums are now closed.

Open Support Ticket

Tagged: 

  • Author
    Posts
  • #509668

    Scott Harris
    Lifetime Member
    Post count: 74

    After updating to v2.0.0.67, scripts in custom fields stopped working. I verified that the problem is due to the update by restoring a backup.

    Is this intentional? I am using scripts to display third-party plugins in custom fields, so I’d like to have this functionality back.

    #509675

    Guust
    Moderator
    Post count: 29970

    Please send us the details of a listing and the custom fields so we can see a sample script you are using, and your login details in a private reply and we’ll have a look if we can recreate that on our test sites.
    Thanks

    #509677

    Kiran
    Moderator
    Post count: 7069

    Hi Scott,

    In recent version we have escaped custom field values to prevent XSS (Cross-site scripting) attacks on website.

    Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

    See https://developer.wordpress.org/plugins/security/securing-input/ & https://developer.wordpress.org/plugins/security/securing-output/

    Let us know how you are using scripts to display third-party plugins in custom fields. If possible i will provide you help/snippet to use filter instead of script tags. Allow to use script tags in input is not safe for website in terms of security.

    Best Regards,
    Kiran

    #509802

    Scott Harris
    Lifetime Member
    Post count: 74
    This reply has been marked as private.
    #510337

    Kiran
    Moderator
    Post count: 7069

    Hi Scott,

    Please use following PHP code snippet, it will skip field value sensitization.

    
    
    /**
     * Skip sanitize field values.
     *
     * Skipping sanitize values may result in cross-site scripting (XSS) attack.
     */
    function gd_snippet_skip_sanitize_field( $value, $gd_post, $custom_field, $post_id, $post, $update ) {
    	$value = $gd_post[ $custom_field->htmlvar_name ];
    
    	if ( isset( $custom_field->data_type ) && ( $custom_field->data_type == 'DECIMAL' || $custom_field->data_type == 'INT' ) && $value === '' ) {
    		$value = null;
    	}
    	return $value;
    }
    add_filter( 'geodir_custom_field_value_email', 'gd_snippet_skip_sanitize_field', 11, 6 );
    add_filter( 'geodir_custom_field_value_html', 'gd_snippet_skip_sanitize_field', 11, 6 );
    add_filter( 'geodir_custom_field_value_phone', 'gd_snippet_skip_sanitize_field', 11, 6 );
    add_filter( 'geodir_custom_field_value_text', 'gd_snippet_skip_sanitize_field', 11, 6 );
    add_filter( 'geodir_custom_field_value_textarea', 'gd_snippet_skip_sanitize_field', 11, 6 );
    add_filter( 'geodir_custom_field_value_url', 'gd_snippet_skip_sanitize_field', 11, 6 );

    Let us know how it goes.

    Regards,
    Kiran

    #510488

    Scott Harris
    Lifetime Member
    Post count: 74

    Thanks very much for creating that script. I copied it to functions.php, but am not seeing the script work. Do I need to specify the custom field for skipping sanitize?

    #510503

    Kiran
    Moderator
    Post count: 7069

    Hi Scott,

    Please try listing re-save again with script tags. The listing which saved after current release may have stripped tags, so those listings needs to re-save again with script tags.

    Let us know.

    Kiran

    #511830

    Scott Harris
    Lifetime Member
    Post count: 74

    Thanks for the script. The shortcodes and scripts in fields are now displaying properly. For security purposes, is there a way that I could specify fields that should not strip tags rather than open them all up?

    #511899

    Kiran
    Moderator
    Post count: 7069

    Hi Scott,

    Try following PHP snippet to prevent strip tags for specific fields.

    
    
    /**
     * Skip sanitize specific field values.
     *
     * Skipping sanitize values may result in cross-site scripting (XSS) attack.
     */
    function gd_snippet_custom_skip_sanitize_field( $value, $gd_post, $custom_field, $post_id, $post, $update ) {
    	// Fields to skip strip tags.
    	$skip_strip_tags = array();
    	$skip_strip_tags[] = 'custom_field';
    	$skip_strip_tags[] = 'custom_text';
    	$skip_strip_tags[] = 'my_field';
    
    	if ( in_array( $custom_field->htmlvar_name, $skip_strip_tags ) ) {
    		$value = $gd_post[ $custom_field->htmlvar_name ];
    
    		if ( isset( $custom_field->data_type ) && ( $custom_field->data_type == 'DECIMAL' || $custom_field->data_type == 'INT' ) && $value === '' ) {
    			$value = null;
    		}
    	}
    	return $value;
    }
    add_filter( 'geodir_custom_field_value_email', 'gd_snippet_custom_skip_sanitize_field', 11, 6 );
    add_filter( 'geodir_custom_field_value_html', 'gd_snippet_custom_skip_sanitize_field', 11, 6 );
    add_filter( 'geodir_custom_field_value_phone', 'gd_snippet_custom_skip_sanitize_field', 11, 6 );
    add_filter( 'geodir_custom_field_value_text', 'gd_snippet_custom_skip_sanitize_field', 11, 6 );
    add_filter( 'geodir_custom_field_value_textarea', 'gd_snippet_custom_skip_sanitize_field', 11, 6 );
    add_filter( 'geodir_custom_field_value_url', 'gd_snippet_custom_skip_sanitize_field', 11, 6 );

    Kiran

    #512153

    Scott Harris
    Lifetime Member
    Post count: 74

    Thanks. Sorry for the newby question, but what values do I need to change in this script to specify the custom fields that shouldn’t have their scripts stripped?

    #512196

    Alex Rollin
    Moderator
    Post count: 27815
    
    
    
    $skip_strip_tags[] = 'my_field';
    

    replace my_field with your field’s key

Viewing 11 posts - 1 through 11 (of 11 total)

We have moved to a support ticketing system and our forums are now closed.

Open Support Ticket
20% Discount Offer
Hurry! Get your 20% discount before it expires. Get 20% Discount