3.14 breaks media source

Thanks for your report. I am not sure what you mean by “the media source tag”. Can you give me more details about the location of the problem? Thanks!

hi sorry it’s the data-src attribute in the anchor tags created by the mla-gallery tag. here is a screenshot of my inspector showing the issue. https://ibb.co/TTV6GMq

it seems this issue has snuck back in! https://www.ads-software.com/support/topic/gallery-slideshow-stopped-working-with-update-3-12/

Thanks for your report and for the additional details, including the link back to the earlier topic.

The solution for the earlier topic was recently reported to me as a security violation, and I restored the use of the WordPress esc_attr() function to sanitize the attribute content. I am reluctant to add a fix for your situation that might cause a new security violation report.

The problem is limited to passing quotes and slashes in a shortcode parameter. The best solution is to define a custom markup template containing the links you need and avoiding the shortcode parameter security check. I can help you with that if it would work for your application.

Thanks for your patience and understanding.

Seems to me that the data-src attribute is the URL of an image, and shouldn’t be surrounded by quotes. It also needs to retain the / characters to remain a URL.

Normally, esc_attr() is the right function for securing attributes, but in this case, why not use esc_url() instead? It should accomplish the same thing.

@galbaras – thanks for your thought-provoking contribution to this topic.

The mla_link_attributes parameter allows any attribute(s) to be added to the link and treats all attributes the same. For security reasons, all HTML?Event Attributes are deleted and everything else is run through esc_attr(). These restrictions were put in place to resolve a reported security issue from Wordfence.

The data-src attribute is one example of an HTML?data-*?Attribute, These are used to “used to store custom data private to the page or application” and the attribute value “can be any string”. I realize that data-src in particular is widely used, but I am reluctant to start looking for specific attributes and treating them differently.

The security issue is confined to shortcode attributes because any user with Contributor role or higher can put shortcodes in post/page content. Custom markup templates are created in the plugin settings admin area and are restricted to Administrator roles. That seems like a reasonable compromise.

One way to handle this is not to treat all the attributes the same, given that data-src is being used in MLA galleries and has special meaning.

@dlingren i was using mla_link_attributes=’data-src=”{+file_url+}” but it seems i should use mla_link_attributes=’data-src={+file_url+}

when i remove the “” the updated plugin works

thank you this solves the recurring issue!

Thanks to both of you for your comments and updates. I am pleasantly astonished that removing the extra quotes has solved the problem. I tested it and confirmed that esc_attr() does the right thing.

I am leaving this topic resolved, but please update it if you have any further questions or problems regarding the mla_link_attributes parameter. Thanks for your continued interest in the plugin.