Banner sections won't take any scripts.

[ebturner]

Hello!

I'm trying to insert a banner script to show on the homepage, but when I save the code it appears the system is removing the script / sanitizing it. Is there any way around this? Several of the affiliate networks use scripting to show their ads.

 

[Rodolfo]

Seems to me that your server is removing those. The script won't remove or even touch those.

 

[ebturner]

Thanks for the feedback Rodolfo!

I don't see how, as I'm able to add scripts to other sites on the same hosting. I will keep looking, but with past experience with another php application (not yours) they were sanitizing the field before saving it which stripped all the code other than basic HTML. ( $good_string = sanitize($bad_string); ) Thus the reason why I'm thinking those fields might be going through the same process prior to saving to the database?

 

[ebturner]

Maybe this is filtering it? As soon as I add anything <script>.....</script> its removed from the field.

 

[Rodolfo]

I don't remember if this is because safe mode or some security server level module, but thing is that some aggressive setting just disable the contents of any <script> tag. You either disable that thing or just populate the database directly.

To be honest, I don't know what other scripts do, maybe they do some js side encryption or something like that to avoid this filter which doesn't seem to be a standard feature today.

 

[ebturner]

That screen capture of the code was from your functions.php module, not some other script. But it may be something in the G code you use for the site which sanitizes the entry field and does not allow any scripts to be saved. If it was a "server" restriction then I would not be able to save the script in the field directly (but I can).

While ads that use script are not used as much as before, you can still find those kinds of ads on many networks...including Commission Junction which is one of the largest affiliate programs. Thankfully they do offer html ads as well. But some of the programs I wanted to promote I will not be able to unless I directly modify the database. I can do that, but wanted to ask you beforehand as it seemed odd that the ad blocks would be sanitized knowing that scripts could be included for pixel tracking and other things related to ads.

Heck, look at google adsense! It is impossible to serve those ads right now with Chevereto because they use scripts.
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Homepage Leaderboard -->
<ins class="adsbygoogle"
style="display:inline-block;width:728px;height:90px"
data-ad-client="ca-pub-1234567890123456"
data-ad-slot="1234567890"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>

What happens when you insert that code into one of your ad blocks and click save. Does it stay in the ad block, or does your site also remove the entire <script> section?

I would think that someone would be using adsense ads on their site. So I'm perplexed as to why I'm not able to. I guess I will keep digging around and hopefully find an answer.

Thanks,
Eric

 

[Rodolfo]

That screen capture of the code was from your functions.php module, not some other script. But it may be something in the G code you use for the site which sanitizes the entry field and does not allow any scripts to be saved. If it was a "server" restriction then I would not be able to save the script in the field directly (but I can).

The system doesn't sanitize code for database insertion, it does that for html printing and only when you pass that second argument. There's no point in evaluate a function if you aren't looking where the function is being called rather than just the function declaration:



$safe_html is used only to cast those banners at Dashboard, because if I don't do that the system will show the banner (evaluates JS) rather than allow us to edit the field. In any case, $safe_html doesn't remove tags, it just do an entity encode. As you may notice, the render (actual function used for printing) forces $safe_html FALSE.

What happens when you insert that code into one of your ad blocks and click save. Does it stay in the ad block, or does your site also remove the entire <script> section?

At the demo I'm able to save a banner with mixed code.



You can check that it loads "Test" + ad code at the homepage. If I tell you that the system doesn't trim those is because I'm sure about it and you should just stop with the idea that Chevereto is trimming that code in that section. Here, taken from homepage:



(At my localhost I'm also able to do it and I'm running WIN Apache there).

I don't want misunderstandings with the functionality of that $safe_html flag so here is what happens when you use $safe_html = TRUE:



It doesn't strip tags it just convert the code from HTML to HTML entities so the code gets replaced to something like this:

TEST

<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Homepage Leaderboard -->
<ins class="adsbygoogle"
style="display:inline-block;width:728px;height:90px"
data-ad-client="ca-pub-1234567890123456"
data-ad-slot="1234567890"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script&gt

That's why is a safe_html flag and not a strip_tags flag, because I'm doing entities not stripping.

Like I said, this is your server trimming the stuff and at this time Chevereto doesn't support any non-standard server extra security module.

Cheers,
Rodolfo.