Auto removal of links in Cookie Notice Content

I’m having the same issue.

Hi George,

I have updated to 2.1.6 and this has resolved the issue for me.

Hi @getyourmobi,

Thank you for letting me know! I’ve just updated to 2.1.6 but it seems that the HTML link tags are still getting removed.

Here is an example “GDPR Message”:

<a href="https://www.example.com/">Example.com</a>, uses cookies in order to blah blah blah...

Unfortunately, the plugin continues to strip off the link tag: <a href="https://www.example.com/"></a> from “Example.com” on the front-end.

Can you confirm please?

Thank you in advance.

Best regards,
George

Hello,

After taking the time to review the code, it seems that (as one can suspect) the developers are cleaning up the input by removing the slashes and sanitizing the input. Apart from that, esc_html() is used to display the cookie message which escapes any HTML tags/blocks.

I believe that this might be a permanent change probably as an effort of the developers to achieve a higher level of security (eg. against SQL injection attacks).

In that context, I would like to kindly request from the developers to reconsider the possibility of permitting <a href=""></a> HTML tags. The function wp_kses() might be a good alternative: https://developer.www.ads-software.com/reference/functions/wp_kses/

Best regards,
George

• This reply was modified 2 years, 6 months ago by gskyknight.
• This reply was modified 2 years, 6 months ago by gskyknight.
• This reply was modified 2 years, 6 months ago by gskyknight.
• This reply was modified 2 years, 6 months ago by gskyknight.

Hi there,

Thank you for your suggestion.

We have added this request to our product roadmap. And this feature will be added in our future releases.

Regards,
Team WPeka.

Greetings,

Thank you for taking this request into consideration.

Perhaps, another possible way of allowing selective HTML tags, such as <a> tags, (apart from wp_kses() function for input sanitization on the backend) would be the PHP function strip_tags(), which can replace the esc_html() that escapes all HTML tags in the frontend.

wp_kses() – https://developer.www.ads-software.com/reference/functions/wp_kses/

strip_tags() – https://www.php.net/manual/en/function.strip-tags.php

Best regards,
George

• This reply was modified 2 years, 6 months ago by gskyknight.

Hi there,

Thank you for your suggestion, we will definitely look into this.

We wanted to inform you that your suggestion to permit html tags has been released in our latest version.(2.2.0)

Kindly update your plugin to the latest version and do let us know if you have any further queries.

Regards,
Team WPeka.

Hello,

Thank you for releasing version 2.2.0.

However, as much as I hate being the bearer of bad news, unfortunately I have to let you know that version 2.2.0 did not solve the issue.

If I could make a quick suggestion (without implying that it is the optimal one), this would be the following:

File: gdpr-cookie-consent/public/templates/skins/default.php
Line 21:
Current code:
<div class="group-description" tabindex="0"><p class="gdpr"><?php echo esc_html__( $the_options['gdpr_str'], 'gdpr-cookie-consent' ); ?>

Suggested modification:
<div class="group-description" tabindex="0"><p class="gdpr"><?php echo strip_tags($the_options['gdpr_str'],"<a><br><em><strong>"); ?>

File: gdpr-cookie-consent/admin/class-gdpr-cookie-consent-admin.php
Line 1107:
Current code:
$the_options['notify_message'] = isset( $_POST['gcc-gdpr-msg'] ) ? sanitize_text_field( wp_unslash( $_POST['gcc-gdpr-msg'] ) ) : "This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.";

Suggested modification:

$the_options['notify_message'] = isset( $_POST['gcc-gdpr-msg'] ) ? wp_kses( wp_unslash( $_POST['gcc-gdpr-msg'] ), 
array(
	'a' => array(
		'href' => array(),
		'title' => array(),
		'target' => array(),
		'rel' => array(),
		'class' => array(),
		'id' => array(),
		'style' => array()
	),
	'br' => array(),
	'em' => array(),
	'strong' => array(),
)
) : "This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.";

In this way, function esc_html__() is replaced by function strip_tags() which is configured escape all HTML tags, except the ones that are allowed. This solves the issue on frontend. To address the issue on backend, function sanitize_text_field() is replaced by wp_kses() which does filter the user’s input but also allows the HTML tags of the provided array to be used.

Best regards,
George

Hi there,

Thank you for your suggestions.

We will surely consider them in our future releases.

Have a great day!

Regard,
Team WPeka.

Hi there,

I would like to let you know that at the time of writing (version 2.2.1) the issue of ignoring HTML hyperlink tags remains.

Please review the problem in the following screenshot: https://i.imgur.com/Rw8TBYE.png

As depicted, it is no longer possible to use HTML link tags in the cookie notice consent. The plugin automatically ignores HTML link tags on the output text.

I would be grateful if you could let me know if there is any hope that this will be taken into account for future updates?

Best regards,
George

Hello WPeka,

We’re excited to see that the plugin continues to receive updates and support. Is it possible to give us an update regarding the consideration of a solution to the issue of auto removal of links in Cookie Notice Content?

We would be grateful if you could review the proposed solution (posted above) and let us know if there are any plans of implementing this or any other mitigation method in the near-future updates.

Best regards,
George

Greetings,

I would like to thank you for implementing the proposed fix to allow basic HTML markup the in consent message.

Issue has been resolved as of version 2.2.4 (latest at this time).

Best regards,
George