ML Slider throws warnings on read-only app container

  • Resolved Paul Gilzow

    (@gilzow)


    4 years ago

    The issue can be found here: N/A but can create a new test environment for you to see the warnings upon request
    The preview works: N/A
    It works with other themes: No
    It works when I disable all other plugins: No
    Meta Slider version: 3.18.9

    When running Meta Slider on a read-only app container, HTMLPurifier throws a ton of warnings upon instantiation.

    At line 506 of https://plugins.trac.www.ads-software.com/browser/ml-slider/trunk/inc/slide/metaslide.image.class.php#L506
    You instantiate the HTMLPurifier class. Upon instantiation, HTML Purifier will attempt to create a series of cache directories. In a read-only file system, this will fail and cause a cascade of warnings.

    HTMLPurifier does support a Cache.SerializerPath config option https://htmlpurifier.org/live/configdoc/plain.html#Cache.SerializerPath but ML Slider does not support the ability to pass in config options to the class.

    The only solution I can discern from your code is to add
    add_filter('metaslider_filter_unsafe_html','__return_false');
    to either our themes’ functions.php files or create a plugin with just that line of code and install on all sites. Doing so also removes _any_ filtering on the caption instead of just preventing the usage of HTMLPurifier.

    Any chance you can add an option for either passing in a cache location, or skipping the use of HTMLPurifier and instead use sanitize_text_field() ?

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi,

    I’ll check whether sanitize_text_field() covers everything we were concerned with, or otherwise I can see about adding parameters.

    Hi,

    sanitize_text_field() won’t work because we want to allow some HTML like <strong>, <em> etc.

    For your case, if you’re the only one using the site, you can add add_filter('metaslider_filter_unsafe_html','__return_false'); without any worry unless you plan to inject unsafe html into your captions.

    I’ll add another filter though to allow options to be passed in though. No harm in adding that.

    I’ll just mark this as resolved since we have a solution, but feel free to continue the conversation.

    Next release will look like this:

    $config = HTMLPurifier_Config::createDefault();
$config = apply_filters('metaslider_html_purifier_config', $config, $slide, $this->slider->ID, $this->settings);
$purifier = new HTMLPurifier($config);

    And you can filter it something like this:

    add_filter('metaslider_html_purifier_config', function ($config) {
    // Allow target="_blank" on <a>
    $config->set('HTML.Allowed', 'a[href|target]');
    $config->set('Attr.AllowedFrameTargets', array('_blank'));
    return $config;
});
    Thread Starter Paul Gilzow

    (@gilzow)

    that looks perfect. Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘ML Slider throws warnings on read-only app container’ is closed to new replies.