- This topic has 9 replies, 2 voices, and was last updated 6 years, 11 months ago by Tom.
-
AuthorPosts
-
April 26, 2017 at 8:38 am #310555Adam
I’ve encountered a peculiar bug related to some custom fields I’m using on my site. I have a custom field which allows WYSIWYG input by users. That’s very important. But even though the input is standards compliant HTML and XHTML the OUTPUT on my page appears to have been sanitized and outputs as a single string.
The maker of the plugin (CustomPress by WPMU) I’m using suggests that the output is fine — when using a different theme. I’m not terribly certain where to start looking for anything in GP that might be sanitizing my outputs this way, but I’d like to disable this behavior if it exists.
Normally I’d just write in the HTML tags but this is for a client so they’re gonna expect a WYSIWYG input to produce what they saw. I’m happy to provide links privately but it’s for a client site so I can’t go throwing the URLs to the dev version all over the internet.
April 26, 2017 at 9:05 am #310576TomLead DeveloperLead DeveloperHi there,
GP absolutely sanitizes all values going into the database, and escapes all values being printed from the database. This is essential for security purposes.
However, GP can only do that to options it controls. So if you’re using a custom field that you created, and you’re printing it yourself in your template, it would be up to you to sanitize and escape the output.
For escaping a WYSIWYG editor, I would suggest you use
wp_kses_post()
: https://codex.wordpress.org/Function_Reference/wp_kses_postApril 26, 2017 at 9:46 am #310611AdamI think maybe I misstated my question then. The problem doesn’t seem to be that I’m getting escaped output, the problem seems to be that I’m getting output which is totally sanitized of all HTML in a way over and above what wordpress typically does (and what GP does even inside of the content field).
Here’s a simplified version of the problem.
The user provides WYSIWYG input equivalent to
<p>This is some text. It's got lots of useful information for my customers, and I spent a lot of time formatting it.</p> <p>This is some more text which starts a new thought or idea, and needs to be visually separated</p> <p>This is an additional bit of text <br /> which for stylistic reasons includes a line break, but is still a single unit
The problem is that the output on the page is like this:
This is some text. It's got lots of useful information for my customers, and I spent a lot of time formatting it.This is some more text which starts a new thought or idea, and needs to be visually separated.This is an additional bit of text which for stylistic reasons includes a line break, but is still a single unit
What I’m hearing from the plugin developer is that using a theme other than GP causes the text to render as expected. And I’m just trying to track down if this behavior is coming from GP or something the plugin is doing.
April 26, 2017 at 10:03 am #310616TomLead DeveloperLead DeveloperHow are you outputting the custom field? Using a function in a template?
April 26, 2017 at 10:28 am #310623AdamYeah, do_shortcode() specifically
April 26, 2017 at 4:04 pm #310755TomLead DeveloperLead DeveloperAnd you’re adding that into a template file?
In order for something (theme or plugin) to sanitize that output, it would have to filter into the do_shortcode() function and add some sort of general sanitizing function (which doesn’t really exist).
GP definitely doesn’t do that, we only escape our own code when output in the theme. There’s no “guessing” output and escaping it/sanitizing it.
April 26, 2017 at 4:17 pm #310764AdamCorrect, I created a new template file for the output for my custom type single-album.php that’s where my struggle begins. It’s throwing a real tantum about processing that output.
April 26, 2017 at 8:11 pm #310816TomLead DeveloperLead DeveloperHmm, have you checked to see if your value is being sanitized prior to being put in the database? If you’re simply outputting a database value directly into a template file using do_shortcode(), there wouldn’t be any escaping.
April 27, 2017 at 11:00 am #311139AdamI managed to track it down to an incompatibility in their plugin with TinyMCE. The input was being sanitized, for one reason or another, every time the the visual editor became the focus.
I’ve reported the bug to them. Apologies for taking your time
April 27, 2017 at 9:13 pm #311291TomLead DeveloperLead DeveloperNo problem! Glad you found the issue 🙂
-
AuthorPosts
- You must be logged in to reply to this topic.