Hi @morehawes, thank you for this amazing plugin!
I've been exploring it for a while and I'm really excited about some integration possibilities with a plugin that I develop. However I've been stuck in a particular situation that I would like to bring here.
My plugin will programmatically run the do_shortcode(... and build the HTML in certain scenarios (a sort of custom post type where the Waymark map will be a custom post meta, to put it briefly). However before outputting our template helper function that spits the post meta content, we have to call a wp_kses on it. This is critical as we've been audited often in security issues.
The result however is that your inline <script> tag inside the shortcode function gets stripped:
This is expected. I've been discussing with AI about a way to handle this from my integration plugin side. One curious solution was to parse your shortcode HTML, extract the inline <script> section, add it to an add_action( 'wp_footer.... logic and then output only the remaining HTML. I tested and it works but well, feels hacky and may be fragile.
So I don't have a clear solution for that.
I've been through something similar in the past. I had a sort of Media Gallery block that relied on some initialization JS. It should be rendered in different contexts such as the Gutenberg block, a shortcode, function calls, etc. At first I used inline scripting because its settings were too contextual and I wanted them to be loaded in there. But then the escaping situation happened. What I did was adding some data attributes to the HTML including necessary info to run the script. Then I loaded the script from traditional enqueue functions, which would check for elements with that data attribute to parse and actually run things.
What do you think? I know it might be a niche situation but I also think inline scripts may hunt you later with security issues.
Hi @morehawes, thank you for this amazing plugin!
I've been exploring it for a while and I'm really excited about some integration possibilities with a plugin that I develop. However I've been stuck in a particular situation that I would like to bring here.
My plugin will programmatically run the
do_shortcode(...and build the HTML in certain scenarios (a sort of custom post type where the Waymark map will be a custom post meta, to put it briefly). However before outputting our template helper function that spits the post meta content, we have to call awp_kseson it. This is critical as we've been audited often in security issues.The result however is that your inline
<script>tag inside the shortcode function gets stripped:This is expected. I've been discussing with AI about a way to handle this from my integration plugin side. One curious solution was to parse your shortcode HTML, extract the inline
<script>section, add it to anadd_action( 'wp_footer....logic and then output only the remaining HTML. I tested and it works but well, feels hacky and may be fragile.So I don't have a clear solution for that.
I've been through something similar in the past. I had a sort of Media Gallery block that relied on some initialization JS. It should be rendered in different contexts such as the Gutenberg block, a shortcode, function calls, etc. At first I used inline scripting because its settings were too contextual and I wanted them to be loaded in there. But then the escaping situation happened. What I did was adding some data attributes to the HTML including necessary info to run the script. Then I loaded the script from traditional enqueue functions, which would check for elements with that data attribute to parse and actually run things.
What do you think? I know it might be a niche situation but I also think inline scripts may hunt you later with security issues.