Script tags in custom field not working after update

We have moved to a support ticketing system and our forums are now closed.

Open Support Ticket

Tagged: snippet

Author

Posts
September 23, 2019 at 12:11 am #509668

Scott Harris
Lifetime Member

Post count: 74

After updating to v2.0.0.67, scripts in custom fields stopped working. I verified that the problem is due to the update by restoring a backup.

Is this intentional? I am using scripts to display third-party plugins in custom fields, so I’d like to have this functionality back.

September 23, 2019 at 6:05 am #509675

Guust
Moderator

Post count: 29970

Please send us the details of a listing and the custom fields so we can see a sample script you are using, and your login details in a private reply and we’ll have a look if we can recreate that on our test sites.
Thanks

September 23, 2019 at 6:48 am #509677

Kiran
Moderator

Post count: 7069

Hi Scott,

In recent version we have escaped custom field values to prevent XSS (Cross-site scripting) attacks on website.

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

See https://developer.wordpress.org/plugins/security/securing-input/ & https://developer.wordpress.org/plugins/security/securing-output/

Let us know how you are using scripts to display third-party plugins in custom fields. If possible i will provide you help/snippet to use filter instead of script tags. Allow to use script tags in input is not safe for website in terms of security.

Best Regards,
Kiran

September 23, 2019 at 5:17 pm #509802

Scott Harris
Lifetime Member

Post count: 74

This reply has been marked as private.

September 26, 2019 at 12:42 pm #510337
Kiran
Moderator

Post count: 7069
Hi Scott,

Please use following PHP code snippet, it will skip field value sensitization.
```
/**
 * Skip sanitize field values.
 *
 * Skipping sanitize values may result in cross-site scripting (XSS) attack.
 */
function gd_snippet_skip_sanitize_field( $value, $gd_post, $custom_field, $post_id, $post, $update ) {
	$value = $gd_post[ $custom_field->htmlvar_name ];

	if ( isset( $custom_field->data_type ) && ( $custom_field->data_type == 'DECIMAL' || $custom_field->data_type == 'INT' ) && $value === '' ) {
		$value = null;
	}
	return $value;
}
add_filter( 'geodir_custom_field_value_email', 'gd_snippet_skip_sanitize_field', 11, 6 );
add_filter( 'geodir_custom_field_value_html', 'gd_snippet_skip_sanitize_field', 11, 6 );
add_filter( 'geodir_custom_field_value_phone', 'gd_snippet_skip_sanitize_field', 11, 6 );
add_filter( 'geodir_custom_field_value_text', 'gd_snippet_skip_sanitize_field', 11, 6 );
add_filter( 'geodir_custom_field_value_textarea', 'gd_snippet_skip_sanitize_field', 11, 6 );
add_filter( 'geodir_custom_field_value_url', 'gd_snippet_skip_sanitize_field', 11, 6 );
```
Let us know how it goes.

Regards,
Kiran
September 27, 2019 at 1:24 am #510488

Scott Harris
Lifetime Member

Post count: 74

Thanks very much for creating that script. I copied it to functions.php, but am not seeing the script work. Do I need to specify the custom field for skipping sanitize?

September 27, 2019 at 7:51 am #510503

Kiran
Moderator

Post count: 7069

Hi Scott,

Please try listing re-save again with script tags. The listing which saved after current release may have stripped tags, so those listings needs to re-save again with script tags.

Let us know.

Kiran

October 6, 2019 at 11:11 pm #511830

Scott Harris
Lifetime Member

Post count: 74

Thanks for the script. The shortcodes and scripts in fields are now displaying properly. For security purposes, is there a way that I could specify fields that should not strip tags rather than open them all up?

October 7, 2019 at 9:20 am #511899
Kiran
Moderator

Post count: 7069
Hi Scott,

Try following PHP snippet to prevent strip tags for specific fields.
```
/**
 * Skip sanitize specific field values.
 *
 * Skipping sanitize values may result in cross-site scripting (XSS) attack.
 */
function gd_snippet_custom_skip_sanitize_field( $value, $gd_post, $custom_field, $post_id, $post, $update ) {
	// Fields to skip strip tags.
	$skip_strip_tags = array();
	$skip_strip_tags[] = 'custom_field';
	$skip_strip_tags[] = 'custom_text';
	$skip_strip_tags[] = 'my_field';

	if ( in_array( $custom_field->htmlvar_name, $skip_strip_tags ) ) {
		$value = $gd_post[ $custom_field->htmlvar_name ];

		if ( isset( $custom_field->data_type ) && ( $custom_field->data_type == 'DECIMAL' || $custom_field->data_type == 'INT' ) && $value === '' ) {
			$value = null;
		}
	}
	return $value;
}
add_filter( 'geodir_custom_field_value_email', 'gd_snippet_custom_skip_sanitize_field', 11, 6 );
add_filter( 'geodir_custom_field_value_html', 'gd_snippet_custom_skip_sanitize_field', 11, 6 );
add_filter( 'geodir_custom_field_value_phone', 'gd_snippet_custom_skip_sanitize_field', 11, 6 );
add_filter( 'geodir_custom_field_value_text', 'gd_snippet_custom_skip_sanitize_field', 11, 6 );
add_filter( 'geodir_custom_field_value_textarea', 'gd_snippet_custom_skip_sanitize_field', 11, 6 );
add_filter( 'geodir_custom_field_value_url', 'gd_snippet_custom_skip_sanitize_field', 11, 6 );
```
Kiran
October 8, 2019 at 6:23 pm #512153

Scott Harris
Lifetime Member

Post count: 74

Thanks. Sorry for the newby question, but what values do I need to change in this script to specify the custom fields that shouldn’t have their scripts stripped?

October 8, 2019 at 11:21 pm #512196
Alex Rollin
Moderator

Post count: 27815
```
$skip_strip_tags[] = 'my_field';
```
replace my_field with your field’s key
Author

Posts