Escaping of inline styles causes unexpected output

  • Resolved Justin Sainton

    (@justinsainton)


    4 years ago

    Howdy!

    Great plugin, David!

    One minor issue. The escaping of the inline styles in /includes/mla-main-search-box-template.php actually causes a problem where unchecking the setting to show these controls has no effects, as the quotes are escaped, breaking the HTML.

    This affects both the control styles and the term styles. There are probably a few decent alternatives, but for us locally, we’ve just removed the esc_html() around the variables and that has worked just fine.

    Thanks again!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author David Lingren

    (@dglingren)

    Thanks for your positive comment and for your report. Thanks as well for the detailed work you did to find and fix the root cause of the problem; very helpful.

    The esc_html() was added in MLA v2.90 as part of my “Systematic review and update of all files for validating, sanitizing and escaping user data to reduce the risk of security exploits.” I have replaced it with the less-restrictive wp_kses() function to leave the quotes in place while retaining some measure of security.

    I have uploaded a new MLA Development Version dated 20210311 that corrects the problem. You can find step-by-step instructions for using the Development Version in this support topic:

    PHP Warning on media upload with Polylang

    I plan to release an MLA update in the next few days, but it would be great if you could install the Development Version and let me know if it works for you. Thanks again for alerting me to this MLA defect.

    Plugin Author David Lingren

    (@dglingren)

    I have released MLA v2.95, which contains the fix for this defect.

    I am marking this topic resolved, but please update it if you have any problems or further questions regarding the fix. Thanks for your patience and helping me find and fix this MLA defect.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Escaping of inline styles causes unexpected output’ is closed to new replies.