Support » Plugin: Responsive Slider by MetaSlider - Slider and Carousel Plugin for WordPress » Gravity Forms Inputs Removed After v3.17.2

  • Resolved strategyllc


    When placing a gravity forms shortcode into the slider caption the form is no longer being displayed after updating to version 3.17.2. I had to manually revert back to version 3.17.1 and it works. I believe it has to do with the implementation of HTML Purifier.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Contributor kbatdorf


    Hi @strategyllc

    I believe it has to do with the implementation of HTML Purifier.

    That’s correct. We had to make allowing JS execution inside the caption to be opt-in. The reason being that other plugins use the “edit_others_posts” capability in non-admins roles. For example, a Woo Shop Manager has this capability. So a Shop Manager will be able to inject JavaScript on your site in the same way as you added the GF shortcode.

    Note: Some places misreported this as a remote attack exploit. That’s not the case. It requires privileged authentication from an existing user.

    To opt-in you just add a filter to your functions.php file or an mu-plugin file.

    // danger zone: do not copy/paste without understanding the context of this post
    add_filter('metaslider_filter_unsafe_html', '__return_false');

    Just know that any user with the “edit_others_posts” capability can also add JavaScript to your site. In theory they could inject ads, data tracking, etc.

    If you want to increase the MetaSlider role required to only admins, you can add this filter:

    add_filter('metaslider_capability', function() { return 'edit_theme_options'; });

    See more about roles & capabilities

    Roles and Capabilities

    Feel free to ask any follow up questions.

    Plugin Contributor kbatdorf



    I’ll mark this as resolved as we didn’t hear back, but feel free to reply if needed or have any more questions.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.