Hi codefex,
1.9.18 adressed a serious vulnerability problem, which included the behavior you mentioned as a side effect :(.
I’m working to include a fix, it is likely you will need to include a filter to override this current behavior.
Currently the plugin has not direct workaround but modify source code.
My apololgies for that.
Hi WPReady,
Okay, I will wait until there is a fix available. Thank you for your quick reply and your effort, which I highly appreciate :).
I’m having the same problem. Hope you are able to solve soon. Thanks for the great plugin. I’m swapping out Nextgen on all my clients’ sites.
It looks like you are using the sanitize_text_field function on the field output, which strips out all html markup. Is the vulnerability a problem with html injected code, or is this is over kill to clean up other possible script injections?
It seems like you would actually perform the sanitization on the content from the form submission before it is updated in the database, and not on content that has already been inserted.
I’ve got a client that wants to add hyperlinks to their descriptions, which works on the initial tests, but becomes a problem if they update any data in the gallery after that, since the output it stripped on the following edits.
same as jayque9. glad dev is aware. thanks
This should be fixed with the latest update.
Hello, I just wanted to confirm that the last update fixed the problem. WPReady, thanks a lot for updating the plugin so quickly :-)!
Closer. It does not delete hyperlinks that are added as part of the description, but I’m seeing the backslashes that are added to the string when double or single quotes are in the text field.
each time you press the save button additional backslashes are added to escape the content.
for example, the string
he said, “this is a quote”
would be saved as
he said, \”this is a quote\”
upon saving again you get
he said, \\\”this is a quote\\\”
I took a quick look at manage-images.php, and noticed that you were now called wp_kses function on the description output. I had to look it up in the codex, to see what this function actually did, and in it’s description it states you have to remove any slashes from the php’s magic quotes before you call this function.
I changed line 507 of manage-images.php from
$img_description = wp_kses($picture->description,$allowedposttags);
to
$img_description = wp_kses( stripslashes($picture->description),$allowedposttags);
This seems to resolve my problem with the multiplying backslash escapes.
Hi jayque9,
thanks for your comments.
I’ll include this fix also. However I’m making some extra test before releasing it.
