V2 contain breaking changes

  • ResolvedPlugin Author Syam Mohan

    (@syammohanm)


    3 years, 4 months ago

    V2.0 of this plugin contains a breaking change. It is part of the recent XSS fix did on the settings page. Even though only a user with ‘manage_options’ capability(by default only Administrator role has this capability) can do this XSS, this is needed as per the “WordPress Plugin Review Team”.

    What is changing?
    Message text no longer allow script tags. If you already have script tags in your notification bar message, they will be removed before displaying the message.

    Why is this change needed?
    This change is needed as per the directions from “WordPress Plugin Review Team”. As per them, Administrators can be tricked into entering malicious code in this field by clicking on a link.

    Is there a way to allow script tags?
    Yes, use the ‘wpfront_notification_bar_message’ filter to set your message.

    My message text doesn’t contain script tags. Is there anything else I need to do?
    No. If your notification bar message doesn’t contain script tags(<script>, </script>), then there is nothing you need to do. Everything will work as usual.

Viewing 6 replies - 1 through 6 (of 6 total)

  • Good afternoon. Tell me how to do this?
    Yes, use the ‘wpfront_notification_bar_message’ filter to set your message.

    Thank you for the clear notice in the release notes that there is a breaking change and for the clear description here of what is changing and why. Wonderful communication! This is how plugin development is done, folk!

    Plugin Author Syam Mohan

    (@syammohanm)

    @morksh 

    add_filter('wpfront_notification_bar_message', function($message) {
    return $message . '<script>Your script</script>';
});
    Plugin Author Syam Mohan

    (@syammohanm)

    More changes in v2.1.0.

    This version uses ‘wp_kses’ function to sanitize message and button text. Only HTML tags and attributes allowed by function ‘wp_kses_allowed_html’ with ‘post’ as context will be allowed by default. Everything else will be removed.

    Use the ‘Message Text Preview’ and ‘Button Text Preview’ fields to see the sanitized values. If there are no difference between the actual field values and preview values, then there is nothing else you need to do. Everything will work as usual.

    If you want your message and button text to output as it is, you can use the following methods.

    1. WPFRONT_NOTIFICATION_BAR_UNFILTERED_HTML constant.
    Set WPFRONT_NOTIFICATION_BAR_UNFILTERED_HTML constant to true in your wp-config.php to allow unfiltered HTML in both message and button text fields.

    define('WPFRONT_NOTIFICATION_BAR_UNFILTERED_HTML', true);

    2. wpfront_notification_bar_message_allow_unfiltered_html filter.
    Use wpfront_notification_bar_message_allow_unfiltered_html filter to allow unfiltered HTML just in the message field.

    add_filter( 'wpfront_notification_bar_message_allow_unfiltered_html', '__return_true' );

    3. wpfront_notification_bar_button_text_allow_unfiltered_html filter.
    Use wpfront_notification_bar_button_text_allow_unfiltered_html filter to allow unfiltered HTML just in the button text field.

    add_filter( 'wpfront_notification_bar_button_text_allow_unfiltered_html', '__return_true' );

    It appears that one of the side-effects of this change is that HTML commented-out code such as:

    <!-- <button>Occasional Use Function</button> -->

    is displayed and active. I’m not sure if that’s intentional or not.

    Using:

    define('WPFRONT_NOTIFICATION_BAR_UNFILTERED_HTML', true);

    does work around this problem.

    Plugin Author Syam Mohan

    (@syammohanm)

    This must be the default behavior of ‘wp_kses’. Unfortunately I can’t modify it, since its a core function.

    What you did is the right way to get the exact message applied.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘V2 contain breaking changes’ is closed to new replies.