thaikolja

Hi @swissprice,

I appreciate your feedback.

I’ll dive into it tomorrow since it’s late over here, but my initial instinct tells me it’s likely related to the XSS protection I had to implement.

You might recall that WP.org temporarily shut down my plugin a few months back due to a rare vulnerability in the secondary title feature. This prompted me to restrict certain HTML tags, so I had to disable many of them in certain situations, probably including yours.

In the meantime, could you walk me through exactly what you were trying to accomplish and where, so I can replicate the issue and get to the bottom of this?

Hi @fredointhecut,

Thanks for sending me the parts of your installation. I was now able to reproduce the issue and produce a quick fix for this. Here’s how you can implement it:

1. Copy the code below or get it from my GitLab Snippet and paste it into your active theme’s functions.php.
2. Go to Settings → Secondary Title and switch Only show in main post to Off as shown in this screenshot.

After that, the secondary title will be displayed in your cart and on the checkout page. Make sure Secondary Title is active and the product actually has a secondary title; otherwise, it’ll fall back to showing the default title.

/**
 * This filter hook modifies the name of the item in the WooCommerce cart.
 * It checks if the plugin Secondary Title is active and if the product ID is set.
 * If the secondary title is not set or is empty, it uses the original formatted string.
 *
 * @hooked woocommerce_cart_item_name - 10
 *
 * @param string $formatted_string The original name of the item in the cart.
 * @param array $cart_item An array containing the cart item's data.
 *
 * @return string The modified name of the item in the cart.
 *
 * @since 2024-06-12
 * @author Kolja Nolte <[email protected]>
 */
add_filter('woocommerce_cart_item_name', function (string $formatted_string, array $cart_item): string {
    // Check if the Secondary Title plugin is active and the product ID is set.
    // If not, return the original formatted string.
    if (!defined('SECONDARY_TITLE_VERSION') && isset($cart_item['product_id'])) {
        return $formatted_string;
    }

    // Get the secondary title for the product.
    $secondary_title = (string)get_secondary_title($cart_item['product_id']);

    // If the secondary title is set, use it as the item name.
    // Otherwise, use the original formatted string.
    $formatted_string = $secondary_title ?: $formatted_string;

    return (string)$formatted_string;
}, 10, 2);

Let me know if that worked for you.

Sorry for the push, but did you receive my latest comment?

Perfect — almost lol. Can you share the login details also so that I can make a copy of the site and fix it locally (if you’re okay with that)? It’ll be much easier to test changes and make sure nothing else breaks in the process.

If you’re cool with that, you can send it to [email protected] and encrypt it with PGP to be safe. Here’s my public key.

Hi @fredointhecut,

Thanks for reaching out.

I wish I could give you a simple code snippet or step-by-step guide on how to do that, but, as in so many other cases, WP sites are often heavily customized.

That kind of makes it close to impossible for me give you directions this fast, because in order to solve this issue, I need to be able to reproduce it.

Is there any way that you feel comfortable with where you could share parts of your website with me? Maybe even the theme (+ child theme, if it exists) would be enough to mirror your website and come up with the solution, the chances here are 50/50.

I’d love to help you out on this one but I need to be able to reproduce the issue. Do you maybe have a private/secured staging environment for your current site? BTW: I assume you’re using WooCommerce, is that right?

Cheers,

Kolja

Hi @dannythebestguy,

Are you using the Gutenberg editor or the Classic Editor?

Hi,

I’d like to help you out with that but for that, I need a few more information.

Can you show me the website where this happens so I can see the issue first-hand?

Hi,

I’d need to see or read a few more details about this. Maybe a screenshot of your Secondary Title settings and your usage + your intended outcome.

Thanks!

Hi there,

That’s outside the realm of Secondary Title. You’d have to get_posts($args) these posts and adjust them $args so the output matches your result. Then, loop through them. And the function that does all that can be registered as a custom shortcode function.

How are your PHP skills?

• This reply was modified 9 months, 3 weeks ago by thaikolja.

Thanks for bringing this up. I’ll investigate and let you know.

I tend to agree, but the mods of this forum seem to have an eye on what I say here, so I must treat carefully :/ But I heard the plugin author is very responsive for questions and feedback via email, too.

It’d be easy to allow certain tags, i.e. <i> for Font Awesome icons. Forum rules don’t allow me to give you the code snippet to do just that, unfortunately.

However, I have to draw a line somewhere. The <script> tag is not the only one that can be abused. But at this point, I’m considering opening the <i> tag unless I find a more reliable solution that doesn’t make my plugin end up on a blacklist again ??

BTW: AfD sucks. Muss einmal gesagt werden :p

Hi,

Unfortunately, allowing HTML in these fields poses a security risk through cross-site scripting (XSS), which was discovered a few months back (check the forum; there’s an extensive thread about this issue and feedback from users) and made the entire plugin unavailable to download. My options were to limit HTML usage or ditch the entire plugin so nobody could download it anymore.

I had to comply with limiting HTML, which is why your code doesn’t render as expected. But I do agree: there should be a better compromise.

In case you don’t know, adding HTML directly into the “Edit post” page in the meta box is still possible. Maybe that’s enough until I’ve balanced out security vs. usability.

If you give me a more detailed explanation of how you use(d) to add HTML (where, what fields, what HTML), I could include it in the test for the next version and try to have these pass.

The beta us now the release cadidate and has just been released ??

Your nudge was duly noticed!

Now, you have to elaborate a little bit of your problem here, and most importantly: How can I reproduce it, because my local machines don’t seem to have this plugin? Maybe you installed the beta before the patch? Try deleting /plugins/secondary-title/ (don’t worry, settings won’t be lost, to rule out any version conflict. I’m referring to this official version.