Hi D K,
In recent version we have escaped custom field values to prevent XSS (Cross-site scripting) attacks on website.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
See https://developer.wordpress.org/plugins/security/securing-input/ & https://developer.wordpress.org/plugins/security/securing-output/
If you still want to you unrestricted tags in fields then you can use following PHP snippet. It will skip field value sensitization.
/**
* Skip sanitize field values.
*
* Skipping sanitize values may result in cross-site scripting (XSS) attack.
*/
function gd_snippet_skip_sanitize_field( $value, $gd_post, $custom_field, $post_id, $post, $update ) {
$value = $gd_post[ $custom_field->htmlvar_name ];
if ( isset( $custom_field->data_type ) && ( $custom_field->data_type == 'DECIMAL' || $custom_field->data_type == 'INT' ) && $value === '' ) {
$value = null;
}
return $value;
}
add_filter( 'geodir_custom_field_value_email', 'gd_snippet_skip_sanitize_field', 11, 6 );
add_filter( 'geodir_custom_field_value_html', 'gd_snippet_skip_sanitize_field', 11, 6 );
add_filter( 'geodir_custom_field_value_phone', 'gd_snippet_skip_sanitize_field', 11, 6 );
add_filter( 'geodir_custom_field_value_text', 'gd_snippet_skip_sanitize_field', 11, 6 );
add_filter( 'geodir_custom_field_value_textarea', 'gd_snippet_skip_sanitize_field', 11, 6 );
add_filter( 'geodir_custom_field_value_url', 'gd_snippet_skip_sanitize_field', 11, 6 );
Let us know.
Best Regards,
Kiran
Kiran 5 years, 1 month ago.
