Bugfix: Saving backend options are working again

  • There is a nasty bug in admin\class-ngg-options.php line 48 that prevents nextcellent to save the options:

    Remove from
    $options = explode( ‘,’, stripslashes( sanitize_title($_POST[‘page_options’] )) );
    the “sanitize_title” because $_POST() returns an Array() but sanitize_title requires a string.

    The sanitize function has to be removed in line 58 too, otherwise a link code line like “class=”shutterset_%GALLERY_NAME%”” could not be entered in effects.

    The input validation should be rewritten completely to match the correct field type here. Currently all field types are sanitized with the same function only.

    • This topic was modified 7 years, 4 months ago by slabbi.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter slabbi

    (@slabbi)

    Same problem in
    admin\manage\class-ngg-abstract-image-manager.php line 105+:

    $description = isset ( $_POST[‘description’] ) ? sanitize_text_field( $_POST[‘description’]) : array();
    $alttext = isset ( $_POST[‘alttext’] ) ? sanitize_text_field($_POST[‘alttext’]) : array();
    $exclude = isset ( $_POST[‘exclude’] ) ? sanitize_text_field($_POST[‘exclude’]) : false;
    $taglist = isset ( $_POST[‘tags’] ) ? sanitize_text_field($_POST[‘tags’]) : false;
    $pictures = isset ( $_POST[‘pid’] ) ? sanitize_text_field($_POST[‘pid’]) : false;
    $date = isset ( $_POST[‘date’] ) ? sanitize_text_field($_POST[‘date’]) : “NOW()”; //Not sure if NOW() will work or not but in theory it should

    For a quick bugfix remove all sanitize_text_field(). You should add the sanitize function in line 118, 119 and 121. The rest should be safe. The code is not very nice in this section and could be optimized.

    Thread Starter slabbi

    (@slabbi)

    In line 651
    echo htmlspecialchars(stripslashes($options[‘thumbCode’]));
    is also not a good idea since it might add multiple tabs after saving. Its cosmetic so no bugfix here.

    Does the Nextcellent author not check this support page?? The latest update does nothing to resolve these problems. Going back to 1.9.31.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Bugfix: Saving backend options are working again’ is closed to new replies.