Bug #3283
closed
Functionality/Page Builder not working in Make theme
Added by bethany holmstrom about 10 years ago.
Updated about 10 years ago.
Category name:
WordPress Themes
Description
Normally I'd go to the theme developer with this one, but as I used this theme before on my self-hosted blog with no issues, I'm wondering if this a Commons-specific problem. Make theme has a page builder, where you can insert a gallery or banner slider. Neither of these functions works on my Commons site: the gallery doesn't appear at all, the slider displays a line of code (seen here, under my main page text/images - http://bethanyholmstrom.net/research/). I deactivated all my plug-ins including Jet Pack, but still the line of code appears. Any suggestions or fixes? It looks like we have the most current version of the theme on the Commons as well. I've fiddled with it for a couple of weeks with no improvements, so I'm hoping you all can suggest something...
- Category name set to WordPress Themes
- Status changed from New to Assigned
- Assignee set to Boone Gorges
- Assignee changed from Boone Gorges to Raymond Hoh
Ray, if you have a chance to look at this soon, please do. I have a premonition it has to do with unfiltered_html on MS.
- Target version set to 1.6.8
You're absolutely right, Boone.
Make theme's page builder saves various HTML tags like <style>, <section>, and <div> as the page content. These get stripped for non-super admins in multisite.
To workaround this, I've removed KSES when saving a page and when Make's custom page builder template is in use. This ensures that Make's functionality such as the Banner and Gallery will work.
See commit 09434ec.
Boone: Let me know what you think of the approach.
Once v1.6.8 is released, Bethany should edit the Make page and resave. Afterwards, she should check the page and make sure everything works as intended.
Thanks, Ray! Good to know my instincts are not always wrong :)
Your solution looks like it should be fine. I guess, in theory, it would be nice to add whitelisted tags to allowed_tags rather than lifting kses filters altogether. Would that be much harder? Do you think we can come up with a short list of tags that need to be let through? More importantly, do you think that this additional work would result in any appreciable security improvements over the more general fix you've put in place in 09434ec?
I was thinking about whitelisting the various HTML elements, but would this be applicable across the site or just when the Make theme is in use?
The positives with whitelisting is improved security. Right now, it might be technically possible to add any HTML into the slide excerpts in Make when using their page builder template.
The only downside with whitelisting is we have to whitelist each attribute that Make uses.
For example, this is just one <div> block when Make's slider is in use:
<div class="builder-section-content cycle-slideshow" data-cycle-log="false" data-cycle-slides="div.builder-banner-slide" data-cycle-swipe="true" data-cycle-timeout="6000" data-cycle-fx="scrollHorz">
Would have to look at all the markup that the Make theme generates for each feature it has. It wouldn't be much harder. Just requires a bit of time and testing.
Oh crud, I forgot about attributes :)
Would you mind taking a couple minutes to see how Make works at this level? There's a small likelihood that there's a centralized place where they list all the attributes/tags that they use (like for an internal whitelist). If so, let's build a whitelist ourselves. Otherwise, let's go with the solution you've already put in place. IMO it's not worth the effort (for our trusted users) to compile an exhaustive whitelist by scouring the entire source of Make.
- Target version changed from 1.6.8 to 1.7
FYI - I have put the interim fix into place on the Commons. Bethany, please resave your settings as Ray suggests, and see if the problem is resolved. I'm going to keep this ticket open and move to a future milestone to see if it's possible to find a better solution. If it turns out it's not, we'll switch it back to 1.6.8 and mark it resolved. Thanks!
Hi Ray & Boone -
The gallery and slideshow function both work on Make's Page Builder now - many thanks!!!
Very glad to hear it, Bethany. Thanks for the update!
- Status changed from Assigned to Resolved
- % Done changed from 0 to 100
Applied in changeset commit:09434ec8c9fd8af9e0869f5766c37d32a56e3217.
Also available in: Atom
PDF