Functionality/Page Builder not working in Make theme
Normally I'd go to the theme developer with this one, but as I used this theme before on my self-hosted blog with no issues, I'm wondering if this a Commons-specific problem. Make theme has a page builder, where you can insert a gallery or banner slider. Neither of these functions works on my Commons site: the gallery doesn't appear at all, the slider displays a line of code (seen here, under my main page text/images - http://bethanyholmstrom.net/research/). I deactivated all my plug-ins including Jet Pack, but still the line of code appears. Any suggestions or fixes? It looks like we have the most current version of the theme on the Commons as well. I've fiddled with it for a couple of weeks with no improvements, so I'm hoping you all can suggest something...
#3 Updated by Raymond Hoh almost 5 years ago
- Target version set to 1.6.8
You're absolutely right, Boone.
Make theme's page builder saves various HTML tags like
<div> as the page content. These get stripped for non-super admins in multisite.
To workaround this, I've removed KSES when saving a page and when Make's custom page builder template is in use. This ensures that Make's functionality such as the Banner and Gallery will work.
See commit 09434ec.
Boone: Let me know what you think of the approach.
Once v1.6.8 is released, Bethany should edit the Make page and resave. Afterwards, she should check the page and make sure everything works as intended.
#4 Updated by Boone Gorges almost 5 years ago
Thanks, Ray! Good to know my instincts are not always wrong :)
Your solution looks like it should be fine. I guess, in theory, it would be nice to add whitelisted tags to allowed_tags rather than lifting kses filters altogether. Would that be much harder? Do you think we can come up with a short list of tags that need to be let through? More importantly, do you think that this additional work would result in any appreciable security improvements over the more general fix you've put in place in 09434ec?
#5 Updated by Raymond Hoh almost 5 years ago
I was thinking about whitelisting the various HTML elements, but would this be applicable across the site or just when the Make theme is in use?
The positives with whitelisting is improved security. Right now, it might be technically possible to add any HTML into the slide excerpts in Make when using their page builder template.
The only downside with whitelisting is we have to whitelist each attribute that Make uses.
For example, this is just one
<div> block when Make's slider is in use:
<div class="builder-section-content cycle-slideshow" data-cycle-log="false" data-cycle-slides="div.builder-banner-slide" data-cycle-swipe="true" data-cycle-timeout="6000" data-cycle-fx="scrollHorz">
Would have to look at all the markup that the Make theme generates for each feature it has. It wouldn't be much harder. Just requires a bit of time and testing.
#6 Updated by Boone Gorges almost 5 years ago
Oh crud, I forgot about attributes :)
Would you mind taking a couple minutes to see how Make works at this level? There's a small likelihood that there's a centralized place where they list all the attributes/tags that they use (like for an internal whitelist). If so, let's build a whitelist ourselves. Otherwise, let's go with the solution you've already put in place. IMO it's not worth the effort (for our trusted users) to compile an exhaustive whitelist by scouring the entire source of Make.
#7 Updated by Boone Gorges almost 5 years ago
- Target version changed from 1.6.8 to 1.7
FYI - I have put the interim fix into place on the Commons. Bethany, please resave your settings as Ray suggests, and see if the problem is resolved. I'm going to keep this ticket open and move to a future milestone to see if it's possible to find a better solution. If it turns out it's not, we'll switch it back to 1.6.8 and mark it resolved. Thanks!