[Resolved] Does generatepress sanitize outputs?

Home Forums Support Does generatepress sanitize outputs?

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #310555
    Adam

    I’ve encountered a peculiar bug related to some custom fields I’m using on my site. I have a custom field which allows WYSIWYG input by users. That’s very important. But even though the input is standards compliant HTML and XHTML the OUTPUT on my page appears to have been sanitized and outputs as a single string.

    The maker of the plugin (CustomPress by WPMU) I’m using suggests that the output is fine — when using a different theme. I’m not terribly certain where to start looking for anything in GP that might be sanitizing my outputs this way, but I’d like to disable this behavior if it exists.

    Normally I’d just write in the HTML tags but this is for a client so they’re gonna expect a WYSIWYG input to produce what they saw. I’m happy to provide links privately but it’s for a client site so I can’t go throwing the URLs to the dev version all over the internet.

    GeneratePress 1.3.46
    GP Premium 1.2.96
    #310576
    Tom
    Lead Developer
    Lead Developer

    Hi there,

    GP absolutely sanitizes all values going into the database, and escapes all values being printed from the database. This is essential for security purposes.

    However, GP can only do that to options it controls. So if you’re using a custom field that you created, and you’re printing it yourself in your template, it would be up to you to sanitize and escape the output.

    For escaping a WYSIWYG editor, I would suggest you use wp_kses_post(): https://codex.wordpress.org/Function_Reference/wp_kses_post

    #310611
    Adam

    I think maybe I misstated my question then. The problem doesn’t seem to be that I’m getting escaped output, the problem seems to be that I’m getting output which is totally sanitized of all HTML in a way over and above what wordpress typically does (and what GP does even inside of the content field).

    Here’s a simplified version of the problem.

    The user provides WYSIWYG input equivalent to
    <p>This is some text. It's got lots of useful information for my customers, and I spent a lot of time formatting it.</p> <p>This is some more text which starts a new thought or idea, and needs to be visually separated</p> <p>This is an additional bit of text <br /> which for stylistic reasons includes a line break, but is still a single unit

    The problem is that the output on the page is like this:
    This is some text. It's got lots of useful information for my customers, and I spent a lot of time formatting it.This is some more text which starts a new thought or idea, and needs to be visually separated.This is an additional bit of text which for stylistic reasons includes a line break, but is still a single unit

    What I’m hearing from the plugin developer is that using a theme other than GP causes the text to render as expected. And I’m just trying to track down if this behavior is coming from GP or something the plugin is doing.

    #310616
    Tom
    Lead Developer
    Lead Developer

    How are you outputting the custom field? Using a function in a template?

    #310623
    Adam

    Yeah, do_shortcode() specifically

    #310755
    Tom
    Lead Developer
    Lead Developer

    And you’re adding that into a template file?

    In order for something (theme or plugin) to sanitize that output, it would have to filter into the do_shortcode() function and add some sort of general sanitizing function (which doesn’t really exist).

    GP definitely doesn’t do that, we only escape our own code when output in the theme. There’s no “guessing” output and escaping it/sanitizing it.

    #310764
    Adam

    Correct, I created a new template file for the output for my custom type single-album.php that’s where my struggle begins. It’s throwing a real tantum about processing that output.

    #310816
    Tom
    Lead Developer
    Lead Developer

    Hmm, have you checked to see if your value is being sanitized prior to being put in the database? If you’re simply outputting a database value directly into a template file using do_shortcode(), there wouldn’t be any escaping.

    #311139
    Adam

    I managed to track it down to an incompatibility in their plugin with TinyMCE. The input was being sanitized, for one reason or another, every time the the visual editor became the focus.

    I’ve reported the bug to them. Apologies for taking your time

    #311291
    Tom
    Lead Developer
    Lead Developer

    No problem! Glad you found the issue 🙂

Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.