Invalid Action Network Embed Code again

  • Jeremy Malcolm

    (@jeremy-malcolm)


    1 month, 3 weeks ago

    On lines 1161 and 1297 of actionnetwork.php, the plugin is only validating embed codes versions 2-4. Action Network is currently on version 6, so the regex needs updating.

    Additionally, the embed is failing validation because you’re running wp_kses_post() on the embed code before applying the regex. That sanitization alters the <script> tag or query string, so the regex never matches. The raw wp_unslash() value needs to be used for parsing/validation.

    These two issues lead to an “invalid embed code” error.

    • This topic was modified 1 month, 3 weeks ago by Jeremy Malcolm. Reason: Added another related bug
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Concerted Action

    (@concertedaction)

    1 month, 3 weeks ago

    Thanks for this report. We’ve just pushed a fix. Let me know if this resolves your issue?

    Thread Starter Jeremy Malcolm

    (@jeremy-malcolm)

    1 month, 2 weeks ago

    Yes thanks, though you may also want to fix another issue where the Date field on the Add action screen is malformed due to another misuse of wp_kses_post() in echo wp_kses_post( actionnetwork_build_time_input(…) );. If you take a look at the form you’ll see what I mean, you can’t miss it. It is outputting raw sanitized HTML and Javascript instead of form fields.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.