do_shortcode escaping

  • ie1963

    (@ie1963)


    2 months, 2 weeks ago

    Please tell me how to escape the widget shortcode.

    There is a function:

    if (!function_exists(‘foo_do_shortcode’)) { function foo_do_shortcode($name, $attrs = array()) { $special_chars = array(‘[‘, ‘]’, ‘”‘, “‘”); $sc_params = ”; foreach ($attrs as $k => $v) { $v = str_replace($special_chars, ”, $v); if (!is_array($v) || !is_object($v)) { $sc_params .= sprintf( ‘ %s=”%s”‘, sanitize_key($k), esc_attr($v) ); } } $short_code = “[{$name}{$sc_params}]”; return do_shortcode($short_code); } }

    We’re calling it in another file.

    echo foo_do_shortcode( ‘foo_search’, array( ‘layout’ => $layout, ‘column’ => 1, ‘color_scheme’ => “color-dark”, ‘status_enable’ => $status_enable == 1 ? ‘true’ : ‘false’, ‘type_enable’ => $type_enable == 1 ? ‘true’ : ‘false’, ‘title_enable’ => $title_enable == 1 ? ‘true’ : ‘false’, ‘address_enable’ => $address_enable == 1 ? ‘true’ : ‘false’, ‘country_enable’ => $country_enable == 1 ? ‘true’ : ‘false’, ) ) ;

    Error checking: All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found ‘foo_do_shortcode’ I tried wp_kses_post, esc_html …. and more. The widget breaks.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator threadi

    (@threadi)

    2 months, 2 weeks ago

    wp_kses_post() would be the right function for this. It should look something like this:

    echo wp_kses_post( foo_do_shortcode() );

    That should fix the warning. You just need to make sure that no other components are affecting the HTML code that is filtered by KSES. See also: https://wp-mix.com/wordpress-basic-allowed-html-wp_kses/

    Tip: you can use the code block here in the forum: https://wordpress.org/support/forum-user-guide/block-editor/#code-block

    Thread Starter ie1963

    (@ie1963)

    2 months, 2 weeks ago

    Thanks. I’ll use the code block.
    Regarding wp_kses_post, I used it initially, but the entire widget markup breaks. I’ve tried everything, but nothing works.

    Maybe I can get rid of “echo”?

    Moderator threadi

    (@threadi)

    2 months, 2 weeks ago

    No, do_shortcode returns a string that must be output using echo. See: https://developer.wordpress.org/reference/functions/do_shortcode/

    What exactly is incorrect about the output? Are HTML elements or individual attributes missing? Have you tried deactivating all other plugins, as they could be affecting KSES?

    Moderator bcworkz

    (@bcworkz)

    2 months, 2 weeks ago

    wp_kses_post() is fairly strict with what HTML it allows. It has likely stripped out something essential for your specific situation. Find out what that is and confirm that it’s valid and secure HTML. You can then modify what wp_kses() allows via the ‘wp_kses_allowed_html’ filter hook.

    Thread Starter ie1963

    (@ie1963)

    2 months, 2 weeks ago

    I’m currently working on a local server and only have this plugin installed, no others.
    I’m using wp_kses_post.
    Half the widget (input fields and html) is missing. I’ll have to learn and use wp_kses_allowed_html.
    I’m just starting to learn WordPress.

    Moderator bcworkz

    (@bcworkz)

    2 months, 2 weeks ago

    wp_kses_post() is essentially a wrapper function for wp_keses(). You’ll see so if you look at its source code. If you were to use wp_kses() directly instead, it’s possible to override the default allowed HTML and specify your own. However, I find such an approach too cumbersome, I prefer to modify the default via the ‘wp_kses_allowed_html’ filter hook.

    IME it’s unusual for wp_kses() to strip out entire fields. For me, I typically find certain attributes being removed, not the entire tag. IOW, I think something else might be going on beyond allowed HTML. I can imagine that if HTML syntax was somehow flawed, that more content might be stripped out than is normally warranted. It’s probably worth running the unescaped HTML through a syntax linter.

    In case you have yet to become familiar with filter or action hooks in general, this reference should prove useful. I suggest you dump out the return of wp_allowed_protocols() so you can learn how the data array is structured and how it can be modified to suit your needs. You’ll want to wrap the output in <pre> tags, otherwise the formatting structure gets lost.

Viewing 6 replies - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.