how protect wordpress comment form from runnig scripts? - security

Recentrly we developred a custom theme for our Wordpress website,
and I've used native comment Wordpress system that the code is something like below.
the question is how could we protect comment form from xss attack? it seems that scripts like <script>alert('hi');</script> runs simply on comments form.
any idea?
thank you.
<section>
<main>
<div class="comment-area">
<h2 class="comment-title -pb-20">
number of comments: <span><?php echo get_comments_number(); ?></span>
</h2>
<div class="comment-form">
<h3>Insert you comment here please.</h3>
<?php
$arg = array(
'title_reply' => '',
'comment_notes_before' => '',
'label_submit' => 'submmit',
);
comment_form($arg);
?>
</div>
<?php if (have_comments()) : ?>
<div class="comment-list">
<h1>all comments</h1>
<ul>
<?php
$args = array(
'style' => 'ul',
'callback' => null,
'end-callback' => null,
'type' => 'comment',
'reply_text' => 'reply',
'page' => '',
'per_page' => '',
'avatar_size' => 32,
'reverse_top_level' => true,
'reverse_children' => '',
'format' => 'html5',
'echo' => true,
);
wp_list_comments($args);
?>
</ul>
</div>
<div class="comments-pagination">
<?php if(get_comment_pages_count() > 1 && get_option('page_comments')) : ?>
<div>
<?php previous_comments_link('prev'); ?>
</div>
<div>
<?php next_comments_link('next'); ?>
</div>
<?php endif; ?>
</div><!-- .comments-pagination -->
<?php endif; ?>
</div>
</main>
</section>

add_filter( 'comment_text', 'sanitize_comment' );
function sanitize_comment( $comment_text ) {
$comment_text = sanitize_text_field($comment_text);
return $comment_text;
}

Related

Getting Same Description in All the Custom Taxonomy Posts

I have developed a custom taxonomy post type. I have displayed categories & inside categories posts (products).
I am getting the Post title & Image as they should be (which I add), but the descriptions of all the posts are same.
I have no idea why same desc keeps displaying, even though everything else is dynamic.
Here is the code I am using:
$taxID = get_queried_object()->term_id;
$args = array(
'post_type' => 'industrial_product',
'fields' => 'ids',
'posts_per_page' => -1,
'tax_query' => array(
array(
'taxonomy' => 'industrial_product_cat',
'terms' => $taxID,
'field' => 'term_id',
'operator' => 'IN'
)
),
);
$query = new WP_Query($args);
if ($query->have_posts()):
$i=1;
foreach( $query->posts as $id ):?>
<div class="row mb-4">
<div class="col-md-4 col-12">
<?php
$image_palette = wp_get_attachment_image_src( get_post_thumbnail_id( $id ), 'single-post-thumbnail' );
?>
<img src="<?php echo $image_palette[0]; ?>" alt="" class="img-fluid" style="max-width:100%;">
</div>
<div class="col-md-8 col-12">
<ul class="nav nav-tabs" id="myTab" role="tablist">
<li class="nav-item m-0" role="presentation">
<a class="nav-link active c-2" id="productInfo<?php echo $i;?>-tab" data-toggle="tab" href="#productInfo<?php echo $i;?>" role="tab" aria-controls="productInfo<?php echo $i;?>" aria-selected="true">Product Information</a>
</li>
<li class="nav-item m-0" role="presentation">
<a class="nav-link c-2" id="std_tds<?php echo $i;?>-tab" data-toggle="tab" href="#std_tds<?php echo $i;?>" role="tab" aria-controls="std_tds<?php echo $i;?>" aria-selected="false">STD / TDS</a>
</li>
</ul>
<div class="tab-content p-3" id="myTabContent<?php echo $i;?>">
<div class="tab-pane fade show active" id="productInfo<?php echo $i;?>" role="tabpanel" aria-labelledby="productInfo<?php echo $i;?>-tab">
<h5><?php echo get_the_title($id); ?></h5>
<p><?php echo get_the_content($id); ?></p>
</div>
<div class="tab-pane fade" id="std_tds<?php echo $i;?>" role="tabpanel" aria-labelledby="std_tds<?php echo $i;?>-tab">
<?php
if(get_field('std_tds_description', $id)){
the_field('std_tds_description', $id);
}
else{
echo "No, Content.";
}
?>
</div>
</div>
</div>
</div>
<?php
$i++;
endforeach;
endif;
//
}
?>
Here is a screenshot of the result:
Can somebody point out what is the problem here. I've tried all sort of stuff but It still shows same desc.
Thanks & Sorry If I'm doing something stupid, still learning!
I just changed the call
Old: <?php echo get_the_content( $id ); ?>
New: echo get_post_field('post_content', $id);
Don't know what was wrong but, It worked.

How to create a common search in yii2 using PJAX and grid view

I need to create a common search in yii2 grid which will search from all the column of grid view table.This is what I did so far.
index.php
<div class="pull-right">
<?php yii\widgets\Pjax::begin(['id' => 'search-form' , 'timeout' => false, 'clientOptions' => ['method' => 'POST']]) ?>
<?php $form = ActiveForm::begin(['options' => ['data-pjax' => true ]]); ?>
<?= $form->field($model, 'searchString')->textInput(['maxlength' => 200])->label(false) ?>
<div class="form-group">
<?= Html::submitButton($model->isNewRecord ? Yii::t('app', 'Create') : Yii::t('app', 'Update'), ['class' => $model->isNewRecord ? 'btn btn-success' : 'btn btn-primary']) ?>
</div>
<?php ActiveForm::end(); ?>
<?php yii\widgets\Pjax::end() ?>
</div>
<?php Pjax::begin(['id' => 'assets']); ?>
<?=
GridView::widget([
'dataProvider' => $dataProvider,
'filterModel' => $searchModel,
/** column names **/
]);
?>
<?php Pjax::end(); ?>
$this->registerJs(
'$("document").ready(function(){
$("#search-form").on("pjax:end", function() {
$.pjax.reload({container:"#assets"});
});
});'
);
Now when I submit searchbox didn't get desired result. Is there anything which I need to do to get output which I want. I looked from these links.
Link1
Link2
Please help me to achieve this.

The results of search without gridview doesn't displaying in Yii2

I tried to organize searching form from 2 fields. But it doesn't display the results. It just staying in site/index . Help me please
code from siteController.php
public function actionSearch()
{
$driver = new Driver();
if ($driver->load(Yii::$app->request->post())) {
$driver = Driver::find()
->where(['from' => $driver->from])
->andWhere(['to' => $driver->to])
->all();
return $this->render('search', ['driver' => $driver]);
}
else {
throw new NotFoundHttpException('Input data not found' );
}
}
code from models/Driver.php
<?php
namespace app\models;
use yii\base\Model;
use yii\data\ActiveDataProvider;
use Yii;
/**
* This is the model class for table "driver".
*
* #property string $id
* #property string $from
* #property string $to
* #property string $data
* #property string $about
* #property string $car
*/
class Driver extends \yii\db\ActiveRecord{
/**
* #inheritdoc
*/
public static function tableName()
{
return 'driver';
}
/**
* #inheritdoc
*/
public function rules()
{
return [
// [['from', 'to', 'data', 'about', 'car'], 'required'],
[['about'], 'string'],
[['from', 'to', 'data', 'car'], 'string', 'max' => 255],
];
}
/**
* #inheritdoc
*/
public function attributeLabels()
{
return [
'id' => 'ID',
'from' => 'From',
'to' => 'To',
'data' => 'Data',
'about' => 'About',
'car' => 'Car',
];
}
}
code from site/index.php
<?php
use yii\widgets\ActiveForm;
use yii\helpers\Html;
use app\models\Driver;
/* #var $driver app\models\Driver */
?>
<?php
$driver = new Driver;
?>
<div class="row">
<div>
<?php $form = ActiveForm::begin([
'action' => ['site/search']
]); ?>
<div class="row">
<div class="col-xs-5">
<?= $form->field($driver, 'from')->label('От')->textInput(['class' => 'input form-control']) ?>
</div>
<div class="col-xs-5">
<?= $form->field($driver, 'to')->label('До')->textInput(['class' => 'input form-control']) ?>
</div>
<div class="col-xs-2" align="left" style="margin-top: 30px">
<input type="image" src="<?= \Yii::getAlias('#web/images/button_search.png')?>" class="icon_button" alt="Поиск" >
</div>
</div>
<?php ActiveForm::end(); ?>
</div>
</div>
code from site/search.php
<?php
use yii\widgets\LinkPager;
$this->title = "Поиск";
$this->registerMetaTag([
'name' => 'description',
'content' => 'driver',
]);
$this->registerMetaTag([
'name' => 'keywords',
'content' => 'driver',
])
?>
<?php if (!$driver) { ?>
<p>Ничего не найдено</p>
<?php } else { ?>
<?php foreach ($driver as $one){
$from = $one -> from;
$to = $one -> to;
$data = $one -> data;
?>
<?php return $this -> render('found_drivers', [
'from' => $from,
'to' => $to,
'data' => $data
]); ?>
<?php }?>
<?php } ?>
and site/found_drivers.php
<div class="one">
<h2><?=$id?></h2>
<hr />
<table class="">
<tr>
<td>
<p><?=$from?></p>
</td>
<td class="right">
</td>
<td class="center">
<p><?=$to?></p>
</td>
</tr>
</table>
<div class="">
<?=$data?> <br>
<div class="clear"></div>
</div>
</div>
You have a form in site/index and it's submitting to the same page. If you want to handle the data of your form in another action you need to add it in your form:
$form = ActiveForm::begin([
'action' => ['site/search']
]);
More info here.
And, as #makie said in the comments, you should use render() instead of include() to render partial views.

How to perform search in yii?

I have a manage quotations page. I need a search based on quotation name and project customer in drop down. With respect to quotation name, I got right search. But drop down user search is not working correctly. The drop down is using another model. The code I followed is given below:-
manageprojects.php
<?php echo CHtml::link('Advanced Search','#',array('class'=>'search-button')); ?>
<div class="search-form">
<?php $this->renderPartial('_search',array(
'model'=>$bots,
'modell'=>$model,
)); ?>
</div>
_search.php
<?php
/* #var $this QuotationsController */
/* #var $model Aquotations */
/* #var $form CActiveForm */
?>
<?php $form=$this->beginWidget('CActiveForm', array(
'action'=>Yii::app()->createUrl($this->route),
'method'=>'get',
)); ?>
<style>
.row1{width:auto; overflow:hidden;}
.row20{width:20%;display:inline-block;}
</style>
<div class="row1">
<div class="row20">
<?php echo $form->label($model,'Quotation Serial No'); ?>
<?php echo $form->textField($model,'serial_no'); ?>
</div>
<div class="row20">
<?php echo $form->label($model,'Project'); ?>
<?php echo $form->textField($model,'project_id',array('size'=>60,'maxlength'=>255,'id' =>'projectsid','onkeyup' => "searchcprojects()")); ?>
<div id="searchresult" style="background:#90EE90;"></div>
</div>
<div class="row20">
<?php echo $form->label($model,'Select User'); ?>
<?php echo CHtml::dropDownList('user_id', $model->id, CHtml::listData($model::model()->findAll(array('order' => 'name')), 'id', 'name'), array('empty' => 'Select User', 'class' => 'span12')); ?>
</div>
<div class="row20">
<?php echo CHtml::submitButton('Search', array("class" => "btn btn-danger")); ?>
</div>
</div><!--row1-->
<?php $this->endWidget(); ?>
project Controller
$model = new Acustomers();
$bot=new Aquotations('search');
$bot->unsetAttributes(); // clear any default values
if(isset($_GET['Aquotations'])){
$bot->attributes=$_GET['Aquotations'];
}
$this->render('managequotations',array(
'bots' => $bot,
'model' => $model,
You need to use the activeDropDownList not the dropDownList:
<?php echo CHtml::activeDropDownList($model, 'user_id',
CHtml::listData(User::model()->findAll(array('order' => 'name')),'id','name'),
array('empty' => 'Select User', 'class' => 'span12'));
?>

Custom loop next and previous post links not working

I'm using WP Events Manager and Advanced Custom Fields to develop a site, I have a custom post type called 'event' which I want to display via the below:
<article class="col-main col clearfix">
<table>
<tr>
<th>Cours</th>
<th>Niveau</th>
<th>Dates</th>
<th>Heures</th>
</tr>
<?php
$args = array(
'post_type' => 'event',
'posts_per_page' => 10,
'paged' => get_query_var('paged'),
'order' => 'ASC',
'orderby' => 'meta_value',
'meta_key' => '_event_start_date');
$loop = new WP_Query( $args );
if($loop->have_posts()):
while ( $loop->have_posts() ) : $loop->the_post();
$EM_Event = em_get_event($post->ID, 'post_id');
?>
<tr>
<td><?php echo $EM_Event->output('#_EVENTLINK'); ?></td>
<td><?php the_field('niveau'); ?></td>
<td><?php if($slug != 'stages-ete'): ?>Chaque: <?php the_field('jours'); echo '<br />'; endif; echo $EM_Event->output('#_EVENTDATES'); ?></td>
<td><?php echo $EM_Event->output('#_EVENTTIMES'); ?></td>
</tr>
<?php endwhile;?>
<?php else: ?>
<tr><td colspan="3"><em>Pas de cours à venir.</em></td></tr>
<?php endif; ?>
</table>
<div class="navigation">
<div class="next-posts"><?php next_posts_link('« Older Entries'); ?></div>
<div class="prev-posts"><?php previous_posts_link('Newer Entries »'); ?></div>
</div>
</article>
But it's not displaying the previous and next links. Any ideas?
Thanks
Try adding the arguments this way instead
$paged = (get_query_var('paged')) ? get_query_var('paged') : 1;
$args = array(
'post_type' => 'event',
'posts_per_page' => 10,
'paged' => $paged,
'order' => 'ASC',
'orderby' => 'meta_value',
'meta_key' => '_event_start_date');
);

Resources