2.7.4.4 - Buttons no more javascript

jjstonemaker · February 12, 2024, 6:49pm

Unfortunately, the buttons no longer work, they no longer do what they are supposed to do.
On the right side you can see “Book appointment” here everything works perfectly.
The call to action on the page button has the following link:
javascript:toggleDrFlexAppointments()
However, this is no longer triggered.
So far it has always worked without problems, it is a booking tool, so help is needed.
Thank you.

craiger522 · February 12, 2024, 7:34pm

Hi there, It worked for me

pross · February 12, 2024, 7:45pm

He downgraded. Unfortunatly if you check the changelogs we had to fix a number of security issues which included sanitizing link field outputs with the WP core function esc_url() which we have correctly done. You were taking advantage of an XSS security issue to add javascript to a href field.

There is a workaround to disable WP security for esc_url() this filter I made for someone that was incorrectly using relative urls like sample-page instead of /sample-page which esc_url would have allowed. You might be able to modify it to allow your javascript through.

/**
 * Completly bypass WP security for urls that start with a letter
 */
add_filter( 'clean_url', function( $good_protocol_url, $original_url, $_context ) {
	if ( preg_match( '/^(?!http)[a-z0-9]/', $original_url ) ) {
		$good_protocol_url = $original_url;
	}
	return $good_protocol_url;
}, 10, 3 );

jjstonemaker · February 13, 2024, 10:57am

I created following code and implemented it to the functions.php in the child theme, it still does not work, any idea?
Any many thanks for the fast help, much apprecaited!

jjstonemaker · February 13, 2024, 10:58am

/**

Allow JavaScript URLs through WordPress sanitization in specific cases.
*/
add_filter(‘clean_url’, function($good_protocol_url, $original_url, $_context) {
// Specifically allow URLs starting with “javascript:” but only for known safe functions
if (preg_match(‘/^javascript:toggleDrFlexAppointments()/’, $original_url)) {
return $original_url;
}
return $good_protocol_url;
}, 10, 3);

pross · February 13, 2024, 12:19pm

thats in no way a valid regular expression

jjstonemaker · February 13, 2024, 1:21pm

/**

Erlaubt spezifische JavaScript-URLs durch WordPress-Sanitisierung.
*/
add_filter(‘clean_url’, function($good_protocol_url, $original_url, $_context) {
// Erlaubt spezifisch URLs, die mit “javascript:toggleDrFlexAppointments()” beginnen
if (preg_match(‘/^javascript:toggleDrFlexAppointments();?$/’, $original_url)) {
return $original_url;
}
return $good_protocol_url;
}, 10, 3);

Better? Sorry i am no coder, just using chatGPT to help me in this case^^

pross · February 13, 2024, 1:51pm

chatgpt has no idea and is dangerous to use on a live site

turns out because your code starts with javascript: esc_url considers that a protocol, like http ftp etc

So you have to tell WP to allow it, you dont need the oringinal snippet

add_filter( 'kses_allowed_protocols', function( $protocols ) {
	$protocols[] = 'javascript';
	return $protocols;
});

jjstonemaker · February 13, 2024, 2:45pm

Thanks, that work for us.
Much appreciated., have a great day!

system · February 15, 2024, 2:45am

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.