• Resolved Shane

    (@shanemarsh28)


    A bug appears to have been introduced in v1.58.3 whereby the onclick (run javascript when the button is clicked..) for buttons returns empty. Rolling back to 1.58.2 resolved the issue for us so this is a bug introduced at that point. Apologies if this has already resolved, due to separate issue (Fatal Error 1.58.4 for NOT logged in users), it appears we may not able to update until 1.58.6 is released.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Support Andrew Misplon

    (@misplon)

    Hi Shane

    Apologies for the hassle. The OnClick field now has a pretty tight whitelist. Are you able to share your OnClick field contents? Or the main part of the value?

    Thread Starter Shane

    (@shanemarsh28)

    The contents does not appear to be outputted on the front end at all. An example markup I see is simply:

    <div class="ow-button-base ow-button-align-center">
    <a href="/a/link/" class="ow-icon-placement-left ow-button-hover"target="_blank" rel="noopener noreferrer" onclick><span>Link Title</span></a></div>

    It should be like this (see bold):

    <div class="ow-button-base ow-button-align-center">
    <a href="/a/link/" class="ow-icon-placement-left ow-button-hover" target="_blank" rel="noopener noreferrer" onclick="whateverTheFunctionIs();"><span>Link Title</span></a></div>

    Hope this helps. Also I tested the plugin against PHP7.4 & 8.2, it does not appear to be related to the version – I was able to replicate on both.

    • This reply was modified 10 months, 4 weeks ago by Shane.
    Plugin Support Andrew Misplon

    (@misplon)

    Thanks for the update. If the OnClick contents aren’t on the whitelist they will be cleared for security reasons. If possible, please send your field contents. I’ll ask Alex at SiteOrigin to take a look and see if the specific pattern can be whitelisted.

    Thread Starter Shane

    (@shanemarsh28)

    I was confused what you meant with regards to a whitelist… Can I disable this check? The contents of the OnClick are variations of this:

    Calendly.initPopupWidget({url: "https://calendly.com/extconsult/30min"});return false;
    Plugin Contributor alexgso

    (@alexgso)

    Hi Shane.

    I’ve added Calendly to the whitelist, and created a build for you to use that includes this change. You can download that build by clicking here.

    Before proceeding, do a backup.

    Navigate to Plugins > Installed Plugins and deactivate SiteOrigin Widgets Bundle and then delete it. Scroll to the top of the page and click Add New, Upload Plugin. Upload so-widgets-bundle.1.49.1-beta.zip and when prompted, activate it.

    Kind regards,
    Alex

    • This reply was modified 10 months, 3 weeks ago by alexgso. Reason: Updated Link
    Thread Starter Shane

    (@shanemarsh28)

    Hi Alex,

    Thank you for the update but unfortunately I can’t upload this tweaked version of the plugin because we are also affected by the “Fatal Error 1.58.4 for NOT logged in users” issue and I don’t know if the version you supply has resolutions to that also.

    Will this fix be rolled out in the next version? We currently have your plugin on an upgrade hold until at least 1.58.6-BETA2 is officially released.

    Additionally, this OnClick issue is only the first site we know about! We have several hundred sites in our installation that could be affected in different ways that clients have not brought to our attention yet. Is it possible to maintain the OnClick whitelist ourselves or disable it? The way that it “fails” is also not desirable. The UI should be absolutely transparent and warn users if their input is affected by another process. There is no warning and it simply ignores the input. We don’t need this new feature, especially if it involves creating a support ticket to add items to this whitelist.

    Plugin Contributor alexgso

    (@alexgso)

    Hi Shane,

    The provided build is a patched version of 1.58.6 so it is not affected by that issue.

    Will this fix be rolled out in the next version?
    The provided changes will be included in an upcoming release. I’m unable to provide you with an ETA on when that release will be.

    Is it possible to maintain the OnClick whitelist ourselves or disable it?

    It’s not directly possible to modify the allow list at this time, but it is possible to disable it using a filter. This is however not recommended as it poses a security concern. That security concern was why this change was made.

    You can disable the disallow list, which will prevent any unintended restricted JavaScript code from being present, using the following PHP:

    add_filter( 'siteorigin_widgets_onclick_disallowlist', '__return_false' );

    You can disable the allowlist, which is used to restrict the “top level” functions, using the following PHP:

    add_filter( 'siteorigin_widgets_onclick_allowlist', '__return_false' );

    If you need a method of adding the above code, you can use a plugin like Code Snippets. For your specific onclick usage, both checks will fail. The provided build will allow for both of them to succeed safely.

    Kind regards,
    Alex

    Plugin Support Andrew Misplon

    (@misplon)

    Hi Shane

    Thanks for your feedback. 1.58.7 has been released and accommodates Calendly. Please don’t hesitate to get in touch if any follow-up queries arise.

    Cheers
    Andrew

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Button Onclick returns empty after v1.58.3’ is closed to new replies.