Conversation
supportI would assume this also has to do with the security enhancements but the paypal buttons that use a form also stopped working.
Hi! Sorry for the inconvenience caused , it is due to a recent security update that prevents adding scripts to backend fields to prevent any malicious code execution (just like you suspected). We recommend placing your script in the footer of your website or using a separate JavaScript file. You can target the button using a custom selector within the script (which is likely already the case). We are actively looking for an alternative, to avoid having to do the above, if you need assistance with this or have any questions, feel free to ask us here: https://help.wpdarko.com/en ! A dev from our team can help you get it to work! Sorry again 馃様
Similar thread here: https://wordpress.org/support/topic/paypal-buttons-not-working-in-table/
Only there is no javascript in the form as well it鈥檚 just a form https://pastebin.com/Kvqduhrv So the solution for me is not putting a javascript somewhere else. It seems to strip most of the form options so leaving only a table with no submit button and no text input fields.
Removing the table does appear to work as it just strips all form and input tags etc.
It isn鈥檛 just about JavaScript. We use wp_kses_post() to clean user input and that will strip form tags. Even when being super permissive with the allowed HTML, the PayPal button won鈥檛 show. More info about the dangers of user created form tags here: https://security.stackexchange.com/questions/120813/is-a-html-form-tag-more-exploitable-than-a-html-link-in-user-submitted-content You could argue that admins should be able to add custom JS/HTML in backend fields, unfortunately everything gets stripped for security reasons. Leaving a vulnerability issue unfixed will get our plugin reported and then closed 馃様.
Obviously not saying it is a great alternative at all, but using Stripe you could generate payment links that you can use in a standard buttons.
Hello, Good news! It should work now with v5.1.12 . We have worked on a fix with the help of the nice people at WPScan. Administrators and Editors can now add unfiltered HTML to the custom button field. Note that you might need to publish your pricing table again (hit Publish) in order to save the snippet in your database.
Hi! Sorry for the inconvenience caused , it is due to a recent security update that prevents adding scripts to backend fields to prevent any malicious code execution (just like you suspected). We recommend placing your script in the footer of your website or using a separate JavaScript file. You can target the button using a custom selector within the script (which is likely already the case). We are actively looking for an alternative, to avoid having to do the above, if you need assistance with this or have any questions, feel free to ask us here: https://help.wpdarko.com/en ! A dev from our team can help you get it to work! Sorry again 馃様
Similar thread here: https://wordpress.org/support/topic/paypal-buttons-not-working-in-table/
Only there is no javascript in the form as well it鈥檚 just a form https://pastebin.com/Kvqduhrv So the solution for me is not putting a javascript somewhere else. It seems to strip most of the form options so leaving only a table with no submit button and no text input fields.
Removing the table does appear to work as it just strips all form and input tags etc.
It isn鈥檛 just about JavaScript. We use wp_kses_post() to clean user input and that will strip form tags. Even when being super permissive with the allowed HTML, the PayPal button won鈥檛 show. More info about the dangers of user created form tags here: https://security.stackexchange.com/questions/120813/is-a-html-form-tag-more-exploitable-than-a-html-link-in-user-submitted-content You could argue that admins should be able to add custom JS/HTML in backend fields, unfortunately everything gets stripped for security reasons. Leaving a vulnerability issue unfixed will get our plugin reported and then closed 馃様.
Obviously not saying it is a great alternative at all, but using Stripe you could generate payment links that you can use in a standard buttons.
Hello, Good news! It should work now with v5.1.12 . We have worked on a fix with the help of the nice people at WPScan. Administrators and Editors can now add unfiltered HTML to the custom button field. Note that you might need to publish your pricing table again (hit Publish) in order to save the snippet in your database.