Ask your WordPress questions! Pay money and get answers fast! Comodo Trusted Site Seal
Official PayPal Seal

Keeping wordpress admin data from being sanitized? WordPress

  • SOLVED

I am working with [[LINK href="http://www.woothemes.com/woocommerce/"]]woocommerce [[/LINK]]and the [[LINK href="http://www.woothemes.com/products/product-add-ons/"]]product add-ons extension[[/LINK]] on [[LINK href="http://development.ride-engine.com/product/armor-2/"]]this page[[/LINK]]

I was really stoked to find I could add content to the addon descriptions (like lining and shell color) by writing html right into the field in the wordpress admin. I would be even more stoked if I could write php for linking to images dynamically and such, but its getting removed, I think by esc_textarea

How can I keep the data from being sanitized? Or am I barking up the wrong tree, and I should find a method to integrate images without potentially compromising security? Is it acceptable to sanitize front-end data but allow code from the admin?

Specifically; is there an alternative to esc_textarea that will allow me to write php into the product add-on textarea and have it process/display on the front end? This is where the data is input to the database, correct?

<td class="addon_description" colspan="2">
<label for="addon_description_<?php echo $loop; ?>"><?php _e( 'Group Description', 'woocommerce' ); ?></label>
<textarea cols="20" id="addon_description_<?php echo $loop; ?>" rows="3" name="product_addon_description[<?php echo $loop; ?>]"><?php echo esc_textarea( $addon['description'] ) ?></textarea>
</td>

First time using this service, happy to pay $10 to whomever provides a solution or the best advice. Or, if someone would like to suggest a more complicated workaround, feel free to suggest something and a price. Thanks for your time!

2013-12-21 by shipwreck

Answers (1)

2013-12-21

Fahad Murtaza answers:

Writing php code could work but won't be safe. Why don't you use wordpress shortcuts for images instead?

shipwreck comments:

That would work for not having to update paths when moving between local and development environments?

Fahad Murtaza comments:

yes, I do it all the time. With shortcut, you can use bloginfo('url') within code to generate the path dynamically where ever you are; local, development, staging or production environment.

shipwreck comments:

In terms of safety; is it bad practice to allow admin users to enter php, but sanitize data entered by the public?

shipwreck comments:

I have been using bloginfo, but isn't it wrapped in a php tag?

shipwreck comments:

eg: <li><a href="<?php echo bloginfo('url'); ?>/shop">SHOP</a></li>

Fahad Murtaza comments:

I mean, bloginfo would be in the functions.php in a shortcode function. You'd simply be using [your_short_code] in the field which is being sanitised.

Fahad Murtaza comments:

Like what this plugin does.

http://wordpress.org/plugins/wp-bloginfo-shortcode/

Fahad Murtaza comments:

Glad to help :)

Fahad Murtaza comments:

Sorry, please ignore the very last comment. I know I still haven't helped you completely :)

shipwreck comments:

I installed and activated the plugin. On the product page in the admin I tested the shortcode in three places:

In the main description area [blog info="url"] is returning localhost, which is perfect!

In the add-on panel of product data, it is returning itself ([blog info="url"]) when I enter it into the Group Name

In the add-on panel of product data, it is returning <img> when I try to use it with <img src="[blog info="url"]/images/something.jpg"


Something is happening with data stripping... I have this code in an html-addon.php file that I believe handles the data entry:

<table cellpadding="0" cellspacing="0" class="wc-metabox-content">
<tbody>
<tr>
<td class="addon_name" width="50%">
<label for="addon_name_<?php echo $loop; ?>"><?php _e( 'Group Name', 'woocommerce' ); ?></label>
<input type="text" id="addon_name_<?php echo $loop; ?>" name="product_addon_name[<?php echo $loop; ?>]" value="<?php echo esc_attr( $addon['name'] ) ?>" />
</td>
<td class="addon_required" width="50%">
<label for="addon_required_<?php echo $loop; ?>"><?php _e( 'Required fields?', 'wc_product_addons' ); ?></label>
<input type="checkbox" id="addon_required_<?php echo $loop; ?>" name="product_addon_required[<?php echo $loop; ?>]" <?php checked( $addon['required'], 1 ) ?> />
</td>
</tr>
<tr>
<td class="addon_description" colspan="2">
<label for="addon_description_<?php echo $loop; ?>"><?php _e( 'Group Description', 'woocommerce' ); ?></label>
<textarea cols="20" id="addon_description_<?php echo $loop; ?>" rows="3" name="product_addon_description[<?php echo $loop; ?>]"><?php echo esc_textarea( $addon['description'] ) ?></textarea>
</td>
</tr>


Fahad Murtaza comments:

Try with single quotes like this:

[blog info='url']

shipwreck comments:

I believe the culprit is esc_attr and esc_textarea. How is data handled in the normal post RTE that allows shortcodes to be used?

Fahad Murtaza comments:

If its returning <img src="[blog info="url"]/images/something.jpg

for when you put the code witin image tag, then all you need is do_shortcode

http://codex.wordpress.org/Function_Reference/do_shortcode

I guess that should solve esc_attr problem.

shipwreck comments:

When I use

<img src="[blog info='url']/image.jpg">

In the main content area it works, but when I use it in the add-ons textarea it just echoes itself. But its not getting stripped, which I guess can be seen as a step in the right direction.

I would love this solution to work

shipwreck comments:

Sorry, I was writing my reply when you suggested do_shortcode, I will attempt it now

Fahad Murtaza comments:

OK, for example

<?php echo esc_textarea( $addon['description'] ) ?>


should be changed to


<?php echo do_shortcode(esc_textarea( $addon['description'] )) ?>

Fahad Murtaza comments:

OK, I believe do_shortcode should do the magic.

shipwreck comments:

So with that change, entering <img src="[blog info='template_directory']/image.jpg"> returns the proper directory when I test it in the main wp content editor

When I use that image code in the add-ons group description, it returns <img src="Engine/image.jpg"> to the admin textarea, and <img src="[blog info='template_directory']/image.jpg"> to the front end

shipwreck comments:

<td class="addon_description" colspan="2">
<label for="addon_description_<?php echo $loop; ?>"><?php _e( 'Group Description', 'woocommerce' ); ?></label>
<textarea cols="20" id="addon_description_<?php echo $loop; ?>" rows="3" name="product_addon_description[<?php echo $loop; ?>]"><?php echo do_shortcode(esc_textarea( $addon['description'] )) ?></textarea>
</td>

shipwreck comments:

It has done something because I am getting different values returned, but it isnt quite processing the shortcode

Fahad Murtaza comments:

OK trying changing the single quote in shortcode to double again.

shipwreck comments:

So you processed the shortcode php shortcuts with do_shortcode, with the idea that there would be nothing left for esc_textarea to escape... that is an excellent idea

I have no idea why it's returning Engine to the admin textarea, and itself to the frontend

shipwreck comments:

With double quotes <img src="[blog info="template_directory"]/image.jpg">

Behaves properly in the main content area

Returns <img src="Engine/image.jpg"> to the admin textarea and front end

Fahad Murtaza comments:

By main content area, you mean the visual editor? Can you send me the screenshot?

shipwreck comments:

Sorry, it returns just <img> with the double quotes

Fahad Murtaza comments:

Oh I think I got it,

That means you also have to do the front end do_shortcode as well.

shipwreck comments:

Here is an image of the admin. I believe we agree main content area = visual editor