Can't put iframe in HTML fields in latest update

This topic contains 4 replies, has 4 voices, and was last updated by  Kiran 5 years, 3 months ago.

We have moved to a support ticketing system and our forums are now closed.

Open Support Ticket

Tagged: ,

  • Author
    Posts
  • #510096

    D K
    Free User
    Post count: 2

    Hi, we Can’t put iframes in HTML fields in latest update. This is very important for our use case. Please help. Thanks

    #510103

    Kor
    Moderator
    Post count: 16516

    Hi D K,

    Thanks for your post. Are you trying to display embedded media? https://wpgeodirectory.com/docs-v2/places/custom/#textarea . If not, could you tell us a little bit more about what you’re trying to achieve there?

    #510107

    D K
    Free User
    Post count: 2

    Just an embedded map

    #510175

    Alex Rollin
    Moderator
    Post count: 27815

    The developers are checking into it.

    #510336

    Kiran
    Moderator
    Post count: 7069

    Hi D K,

    In recent version we have escaped custom field values to prevent XSS (Cross-site scripting) attacks on website.

    Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

    See https://developer.wordpress.org/plugins/security/securing-input/ & https://developer.wordpress.org/plugins/security/securing-output/

    If you still want to you unrestricted tags in fields then you can use following PHP snippet. It will skip field value sensitization.

    
    
    /**
     * Skip sanitize field values.
     *
     * Skipping sanitize values may result in cross-site scripting (XSS) attack.
     */
    function gd_snippet_skip_sanitize_field( $value, $gd_post, $custom_field, $post_id, $post, $update ) {
    	$value = $gd_post[ $custom_field->htmlvar_name ];
    
    	if ( isset( $custom_field->data_type ) && ( $custom_field->data_type == 'DECIMAL' || $custom_field->data_type == 'INT' ) && $value === '' ) {
    		$value = null;
    	}
    	return $value;
    }
    add_filter( 'geodir_custom_field_value_email', 'gd_snippet_skip_sanitize_field', 11, 6 );
    add_filter( 'geodir_custom_field_value_html', 'gd_snippet_skip_sanitize_field', 11, 6 );
    add_filter( 'geodir_custom_field_value_phone', 'gd_snippet_skip_sanitize_field', 11, 6 );
    add_filter( 'geodir_custom_field_value_text', 'gd_snippet_skip_sanitize_field', 11, 6 );
    add_filter( 'geodir_custom_field_value_textarea', 'gd_snippet_skip_sanitize_field', 11, 6 );
    add_filter( 'geodir_custom_field_value_url', 'gd_snippet_skip_sanitize_field', 11, 6 );

    Let us know.

    Best Regards,
    Kiran

Viewing 5 posts - 1 through 5 (of 5 total)

We have moved to a support ticketing system and our forums are now closed.

Open Support Ticket
20% Discount Offer
Hurry! Get your 20% discount before it expires. Get 20% Discount