3.14 breaks media source
-
Hello, version 3.14 is replacing ” with " and / with empty spaces in the media source tag. Hope you are well!
-
Thanks for your report. I am not sure what you mean by “the media source tag”. Can you give me more details about the location of the problem? Thanks!
hi sorry it’s the data-src attribute in the anchor tags created by the mla-gallery tag. here is a screenshot of my inspector showing the issue. https://ibb.co/TTV6GMq
it seems this issue has snuck back in! https://wordpress.org/support/topic/gallery-slideshow-stopped-working-with-update-3-12/
Thanks for your report and for the additional details, including the link back to the earlier topic.
The solution for the earlier topic was recently reported to me as a security violation, and I restored the use of the WordPress
esc_attr()
function to sanitize the attribute content. I am reluctant to add a fix for your situation that might cause a new security violation report.The problem is limited to passing quotes and slashes in a shortcode parameter. The best solution is to define a custom markup template containing the links you need and avoiding the shortcode parameter security check. I can help you with that if it would work for your application.
Thanks for your patience and understanding.
Seems to me that the
data-src
attribute is the URL of an image, and shouldn’t be surrounded by quotes. It also needs to retain the/
characters to remain a URL.Normally,
esc_attr()
is the right function for securing attributes, but in this case, why not useesc_url()
instead? It should accomplish the same thing.@galbaras – thanks for your thought-provoking contribution to this topic.
The
mla_link_attributes
parameter allows any attribute(s) to be added to the link and treats all attributes the same. For security reasons, all HTML Event Attributes are deleted and everything else is run throughesc_attr()
. These restrictions were put in place to resolve a reported security issue from Wordfence.The
data-src
attribute is one example of an HTML data-* Attribute, These are used to “used to store custom data private to the page or application” and the attribute value “can be any string”. I realize thatdata-src
in particular is widely used, but I am reluctant to start looking for specific attributes and treating them differently.The security issue is confined to shortcode attributes because any user with Contributor role or higher can put shortcodes in post/page content. Custom markup templates are created in the plugin settings admin area and are restricted to Administrator roles. That seems like a reasonable compromise.
One way to handle this is not to treat all the attributes the same, given that
data-src
is being used in MLA galleries and has special meaning.@dlingren i was using mla_link_attributes=’data-src=”{+file_url+}” but it seems i should use mla_link_attributes=’data-src={+file_url+}
when i remove the “” the updated plugin works
thank you this solves the recurring issue!Thanks to both of you for your comments and updates. I am pleasantly astonished that removing the extra quotes has solved the problem. I tested it and confirmed that
esc_attr()
does the right thing.I am leaving this topic resolved, but please update it if you have any further questions or problems regarding the
mla_link_attributes
parameter. Thanks for your continued interest in the plugin.
- You must be logged in to reply to this topic.