Before we perform this last update (don't remember what the previous one was) we could add a serialized PHP array with some custom script on a column. For example, in a PHP serialized array, in one column we add this code '<b>Test</b><script type="text/javascript">var test = 1;</script>' but on the page I only received '<b>Test</b>', like if wpdatatables remove any script from the column.
The issue is that in the past, this was possible. We had a custom script created on the PHP serialized Array that generates some buttons and has some individual functions. And no, I can't make the functions directly on the pages as the way we design the site, and the pages, it will be a huge redesign.
Update, I checked with a previous version (The one that I could find was 6.2.1) and it works. The columns download with the <script> tags. This confirmed, that a change was made in the latest version. Is there any way that I can do this with the latest version?? I need to have these script tags.
Yes, I believe our developers made this change due to some vulnerability issues we had found/reported from a lot of users, so new security measures got added which prevent certain scripts/syntax to be rendered.
I am just not 100 % sure of exactly how all that works, so we will double-check with our developers to be sure.
We will focus on your example, as you said, before you were able to add something like :
<b>Test</b><script type="text/javascript">var test = 1;</script>
to the cell, but now our new security measures are 'cleaning' that script part.
As soon as our developers advise on this subject, we will report back.
I don't think we will be able to change that back as it was, due to the vulnerabilities found when that was allowed, but we will advise you on that, too.
We will see if there is any custom workaround for you to edit our Plugin code and 'revert' that security measure as it was before. If that is possible, we will share it with you.
An update from our end. Our QA Team and developers tried to reproduce this issue and we are not able to.
We tried different table types, such as adding a new row in Manual tables as well as tables linked from a file source, such as Excel, and others - and we are unable to reproduce it.
On our Test Sites and tables, with our latest wpDataTables 6.6.1, it does not 'clean'/remove the script.
Here are some screenshots from a Manual table, how it renders in the cell :
And I sent a short Video in attachment demonstrating how it works in an Excel linked table.
So it seems it is not a bug/ or issue from our Plugin itself, but rather an isolated issue on your specific Table or Site.
Please provide me a temporary WP-admin (administrator) user for your website where this happens,
as well as FTP credentials so we could log in and take a look ‘from the inside’ as that’s the most efficient way to see and resolve the issue.
We do not interfere with any data or anything else except for the plugin (in case that’s a production version of the site), and of course, we do not provide login data to third parties.
You can write credentials here just check PRIVATE Reply so nobody can see them except us.
Your example is exactly what is happening on my end. In previous versions, if you wrote a <script> tag, it would validate that <script> tag and process it like a script element inside that cell but now, it is removing the script tag and leaving whatever is written inside the script tag as a text in the cell. I need this because I was creating some custom variables in the table to use in JavaScript with data pulled from the serialized PHP. Is there any way that I can use script tags in the cells? Right now I revert to a previous version that let me do this.
As mentioned, we are unable to reproduce that issue on our end, and we tried multiple Test websites.
So our new Plugin versions are not actually doing this, but it seems to rather be some isolated issue on your Site - it seems something outside of our Plugin is 'cleaning' that script tag on your end.
Our developers can try to help you isolate what is doing it, but they need remote access as requested in the previous reply.
If you wish our devs to investigate it remotely, please provide me a temporary WP-admin (administrator) user for your website where this happens,
as well as FTP credentials so we could log in and take a look ‘from the inside’ as that’s the most efficient way to see and resolve the issue.
We do not interfere with any data or anything else except for the plugin (in case that’s a production version of the site), and of course, we do not provide login data to third parties.
You can write credentials here just check PRIVATE Reply so nobody can see them except us.
Working on the issue, I think the problem is that the newest version is sanitizing the data and stripping any tag that could inject data in one way or another. I'm trying to find where it does that to see if I can bypass it in some way.
I found the issue and is exactly what I guess. In class.wpdatatable.php line 1900- 1907, it was added this:
$dataRow[$key] = wp_kses_post($dataRow[$key]);
If I commented this line it start working again. I need to find a way to bypass this without having to modify the plugin in order to add script tags along with other tags that I need inside the cells.
As mentioned, the issue which happens for you in the latest Plugin version, it does not happen on our Test sites and tables;
As you saw on our video - for us everything still works as it was before.
Since we are unable to reproduce it - we can only help if you send us remote access to your Site to investigate the issue.
And, since you have now edited the code, can you please create a separate, Staging version of your Site with unmodified code - so that our developers can see how that issue happens on your Site?
Then send us the URL for the Staging Site - along with Administrator user credentials, and confirm a Table ID where we can try to edit and test how it sanitizes the data in the cells, etc, during editing.
Just ensure to send the access in the PRIVATE reply, for security reasons.
Before we perform this last update (don't remember what the previous one was) we could add a serialized PHP array with some custom script on a column. For example, in a PHP serialized array, in one column we add this code '<b>Test</b><script type="text/javascript">var test = 1;</script>' but on the page I only received '<b>Test</b>', like if wpdatatables remove any script from the column.
The issue is that in the past, this was possible. We had a custom script created on the PHP serialized Array that generates some buttons and has some individual functions. And no, I can't make the functions directly on the pages as the way we design the site, and the pages, it will be a huge redesign.
Attached files: Screenshot 2024-08-12 at 3.44.28 PM.png
Screenshot 2024-08-12 at 3.44.57 PM.png
Update, I checked with a previous version (The one that I could find was 6.2.1) and it works. The columns download with the <script> tags. This confirmed, that a change was made in the latest version. Is there any way that I can do this with the latest version?? I need to have these script tags.
Hi Victor,
Yes, I believe our developers made this change due to some vulnerability issues we had found/reported from a lot of users, so new security measures got added which prevent certain scripts/syntax to be rendered.
I am just not 100 % sure of exactly how all that works, so we will double-check with our developers to be sure.
We will focus on your example, as you said, before you were able to add something like :
to the cell, but now our new security measures are 'cleaning' that script part.
As soon as our developers advise on this subject, we will report back.
I don't think we will be able to change that back as it was, due to the vulnerabilities found when that was allowed, but we will advise you on that, too.
We will see if there is any custom workaround for you to edit our Plugin code and 'revert' that security measure as it was before. If that is possible, we will share it with you.
Thank you for your patience.
Kind Regards,
Miloš Jovanović
[email protected]
Rate my support
Try our FREE mapping plugin! MapSVG - easy Google maps, interactive SVG maps and floor plans, choropleth maps and much more - https://wordpress.org/plugins/mapsvg-lite-interactive-vector-maps/
wpDataTables: FAQ | Facebook | Twitter | Instagram | Front-end and back-end demo | Docs
Amelia: FAQ | Facebook | Twitter | Instagram | Amelia demo sites | Docs | Discord Community
You can try wpDataTables add-ons before purchasing on these sandbox sites:
Powerful Filters | Gravity Forms Integration for wpDataTables | Formidable Forms Integration for wpDataTables | Master-Detail Tables
Hi Victor,
An update from our end. Our QA Team and developers tried to reproduce this issue and we are not able to.
We tried different table types, such as adding a new row in Manual tables as well as tables linked from a file source, such as Excel, and others - and we are unable to reproduce it.
On our Test Sites and tables, with our latest wpDataTables 6.6.1, it does not 'clean'/remove the script.
Here are some screenshots from a Manual table, how it renders in the cell :
And I sent a short Video in attachment demonstrating how it works in an Excel linked table.
So it seems it is not a bug/ or issue from our Plugin itself, but rather an isolated issue on your specific Table or Site.
Please provide me a temporary WP-admin (administrator) user for your website where this happens,
as well as FTP credentials so we could log in and take a look ‘from the inside’ as that’s the most efficient way to see and resolve the issue.
We do not interfere with any data or anything else except for the plugin (in case that’s a production version of the site), and of course, we do not provide login data to third parties.
You can write credentials here just check PRIVATE Reply so nobody can see them except us.
And please confirm the Table ID.
Thank you.
Attached files: Cant reproduce from Excel linked or Manual tables.mkv
Kind Regards,
Miloš Jovanović
[email protected]
Rate my support
Try our FREE mapping plugin! MapSVG - easy Google maps, interactive SVG maps and floor plans, choropleth maps and much more - https://wordpress.org/plugins/mapsvg-lite-interactive-vector-maps/
wpDataTables: FAQ | Facebook | Twitter | Instagram | Front-end and back-end demo | Docs
Amelia: FAQ | Facebook | Twitter | Instagram | Amelia demo sites | Docs | Discord Community
You can try wpDataTables add-ons before purchasing on these sandbox sites:
Powerful Filters | Gravity Forms Integration for wpDataTables | Formidable Forms Integration for wpDataTables | Master-Detail Tables
Your example is exactly what is happening on my end. In previous versions, if you wrote a <script> tag, it would validate that <script> tag and process it like a script element inside that cell but now, it is removing the script tag and leaving whatever is written inside the script tag as a text in the cell. I need this because I was creating some custom variables in the table to use in JavaScript with data pulled from the serialized PHP. Is there any way that I can use script tags in the cells? Right now I revert to a previous version that let me do this.
Hi Victor,
As mentioned, we are unable to reproduce that issue on our end, and we tried multiple Test websites.
So our new Plugin versions are not actually doing this, but it seems to rather be some isolated issue on your Site - it seems something outside of our Plugin is 'cleaning' that script tag on your end.
Our developers can try to help you isolate what is doing it, but they need remote access as requested in the previous reply.
If you wish our devs to investigate it remotely, please provide me a temporary WP-admin (administrator) user for your website where this happens,
as well as FTP credentials so we could log in and take a look ‘from the inside’ as that’s the most efficient way to see and resolve the issue.
We do not interfere with any data or anything else except for the plugin (in case that’s a production version of the site), and of course, we do not provide login data to third parties.
You can write credentials here just check PRIVATE Reply so nobody can see them except us.
And please confirm the Table ID.
Thank you.
Kind Regards,
Miloš Jovanović
[email protected]
Rate my support
Try our FREE mapping plugin! MapSVG - easy Google maps, interactive SVG maps and floor plans, choropleth maps and much more - https://wordpress.org/plugins/mapsvg-lite-interactive-vector-maps/
wpDataTables: FAQ | Facebook | Twitter | Instagram | Front-end and back-end demo | Docs
Amelia: FAQ | Facebook | Twitter | Instagram | Amelia demo sites | Docs | Discord Community
You can try wpDataTables add-ons before purchasing on these sandbox sites:
Powerful Filters | Gravity Forms Integration for wpDataTables | Formidable Forms Integration for wpDataTables | Master-Detail Tables
I check with JSON File but is doing the same in the newest versions.
Working on the issue, I think the problem is that the newest version is sanitizing the data and stripping any tag that could inject data in one way or another. I'm trying to find where it does that to see if I can bypass it in some way.
I found the issue and is exactly what I guess. In class.wpdatatable.php line 1900- 1907, it was added this:
$dataRow[$key] = wp_kses_post($dataRow[$key]);
If I commented this line it start working again. I need to find a way to bypass this without having to modify the plugin in order to add script tags along with other tags that I need inside the cells.
Hi Victor,
As mentioned, the issue which happens for you in the latest Plugin version, it does not happen on our Test sites and tables;
As you saw on our video - for us everything still works as it was before.
Since we are unable to reproduce it - we can only help if you send us remote access to your Site to investigate the issue.
And, since you have now edited the code, can you please create a separate, Staging version of your Site with unmodified code - so that our developers can see how that issue happens on your Site?
Then send us the URL for the Staging Site - along with Administrator user credentials, and confirm a Table ID where we can try to edit and test how it sanitizes the data in the cells, etc, during editing.
Just ensure to send the access in the PRIVATE reply, for security reasons.
Thank you.
Kind Regards,
Miloš Jovanović
[email protected]
Rate my support
Try our FREE mapping plugin! MapSVG - easy Google maps, interactive SVG maps and floor plans, choropleth maps and much more - https://wordpress.org/plugins/mapsvg-lite-interactive-vector-maps/
wpDataTables: FAQ | Facebook | Twitter | Instagram | Front-end and back-end demo | Docs
Amelia: FAQ | Facebook | Twitter | Instagram | Amelia demo sites | Docs | Discord Community
You can try wpDataTables add-ons before purchasing on these sandbox sites:
Powerful Filters | Gravity Forms Integration for wpDataTables | Formidable Forms Integration for wpDataTables | Master-Detail Tables