Script tags in custom field not working after update
This topic contains 10 replies, has 4 voices, and was last updated by Alex Rollin 5 years, 2 months ago.
We have moved to a support ticketing system and our forums are now closed.
Open Support TicketTagged: snippet
-
AuthorPosts
-
September 23, 2019 at 12:11 am #509668
After updating to v2.0.0.67, scripts in custom fields stopped working. I verified that the problem is due to the update by restoring a backup.
Is this intentional? I am using scripts to display third-party plugins in custom fields, so I’d like to have this functionality back.
September 23, 2019 at 6:05 am #509675Please send us the details of a listing and the custom fields so we can see a sample script you are using, and your login details in a private reply and we’ll have a look if we can recreate that on our test sites.
ThanksSeptember 23, 2019 at 6:48 am #509677Hi Scott,
In recent version we have escaped custom field values to prevent XSS (Cross-site scripting) attacks on website.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
See https://developer.wordpress.org/plugins/security/securing-input/ & https://developer.wordpress.org/plugins/security/securing-output/
Let us know how you are using scripts to display third-party plugins in custom fields. If possible i will provide you help/snippet to use filter instead of script tags. Allow to use script tags in input is not safe for website in terms of security.
Best Regards,
KiranSeptember 23, 2019 at 5:17 pm #509802This reply has been marked as private.September 26, 2019 at 12:42 pm #510337Hi Scott,
Please use following PHP code snippet, it will skip field value sensitization.
/** * Skip sanitize field values. * * Skipping sanitize values may result in cross-site scripting (XSS) attack. */ function gd_snippet_skip_sanitize_field( $value, $gd_post, $custom_field, $post_id, $post, $update ) { $value = $gd_post[ $custom_field->htmlvar_name ]; if ( isset( $custom_field->data_type ) && ( $custom_field->data_type == 'DECIMAL' || $custom_field->data_type == 'INT' ) && $value === '' ) { $value = null; } return $value; } add_filter( 'geodir_custom_field_value_email', 'gd_snippet_skip_sanitize_field', 11, 6 ); add_filter( 'geodir_custom_field_value_html', 'gd_snippet_skip_sanitize_field', 11, 6 ); add_filter( 'geodir_custom_field_value_phone', 'gd_snippet_skip_sanitize_field', 11, 6 ); add_filter( 'geodir_custom_field_value_text', 'gd_snippet_skip_sanitize_field', 11, 6 ); add_filter( 'geodir_custom_field_value_textarea', 'gd_snippet_skip_sanitize_field', 11, 6 ); add_filter( 'geodir_custom_field_value_url', 'gd_snippet_skip_sanitize_field', 11, 6 );
Let us know how it goes.
Regards,
KiranSeptember 27, 2019 at 1:24 am #510488Thanks very much for creating that script. I copied it to functions.php, but am not seeing the script work. Do I need to specify the custom field for skipping sanitize?
September 27, 2019 at 7:51 am #510503Hi Scott,
Please try listing re-save again with script tags. The listing which saved after current release may have stripped tags, so those listings needs to re-save again with script tags.
Let us know.
Kiran
October 6, 2019 at 11:11 pm #511830Thanks for the script. The shortcodes and scripts in fields are now displaying properly. For security purposes, is there a way that I could specify fields that should not strip tags rather than open them all up?
October 7, 2019 at 9:20 am #511899Hi Scott,
Try following PHP snippet to prevent strip tags for specific fields.
/** * Skip sanitize specific field values. * * Skipping sanitize values may result in cross-site scripting (XSS) attack. */ function gd_snippet_custom_skip_sanitize_field( $value, $gd_post, $custom_field, $post_id, $post, $update ) { // Fields to skip strip tags. $skip_strip_tags = array(); $skip_strip_tags[] = 'custom_field'; $skip_strip_tags[] = 'custom_text'; $skip_strip_tags[] = 'my_field'; if ( in_array( $custom_field->htmlvar_name, $skip_strip_tags ) ) { $value = $gd_post[ $custom_field->htmlvar_name ]; if ( isset( $custom_field->data_type ) && ( $custom_field->data_type == 'DECIMAL' || $custom_field->data_type == 'INT' ) && $value === '' ) { $value = null; } } return $value; } add_filter( 'geodir_custom_field_value_email', 'gd_snippet_custom_skip_sanitize_field', 11, 6 ); add_filter( 'geodir_custom_field_value_html', 'gd_snippet_custom_skip_sanitize_field', 11, 6 ); add_filter( 'geodir_custom_field_value_phone', 'gd_snippet_custom_skip_sanitize_field', 11, 6 ); add_filter( 'geodir_custom_field_value_text', 'gd_snippet_custom_skip_sanitize_field', 11, 6 ); add_filter( 'geodir_custom_field_value_textarea', 'gd_snippet_custom_skip_sanitize_field', 11, 6 ); add_filter( 'geodir_custom_field_value_url', 'gd_snippet_custom_skip_sanitize_field', 11, 6 );
Kiran
October 8, 2019 at 6:23 pm #512153Thanks. Sorry for the newby question, but what values do I need to change in this script to specify the custom fields that shouldn’t have their scripts stripped?
October 8, 2019 at 11:21 pm #512196$skip_strip_tags[] = 'my_field';
replace my_field with your field’s key
-
AuthorPosts
We have moved to a support ticketing system and our forums are now closed.
Open Support Ticket