I’m using a paid theme that includes the LayerSlider for WordPress plugin, which is amazing, but on every page I have a slider, the plugin is printing to the browser console its version and an URL. This is not a vulnerability but in case there was one, an attacker can quickly confirm affected sites by checking the browser console (easy as pie).
This is what the plugin prints to the browser console:
LayerSlider v6.x.x initialized Find updates and docs @ https://layerslider.kreaturamedia.com/
And this is how it looks like:
The jQuery release
On the jQuery version, you can add your settings while initializing the plugin:
$('#layerslider').layerSlider({
//Plugin options goes here..
}
And there you can add hideWelcomeMessage: true so the version and the other text won’t get printed to the browser console. Awesome 🙂
But this is not that easy for the WordPress release of the plugin 🙁
The WordPress release
After searching on Google how to achieve this for the WP release, I found a ticket response from the plugin support team saying as for March 17th 2018 is not possible yet.
At the moment it’s not possible to disable it in the WP version of LayerSlider. The solution you’ve found was for the jQuery release.
This message does not have any effect on your site and it’s only visible in the console.
But we will include an option to turn it off, to the WP version as well, in one of the future updates.
Then I read the documentation at https://layerslider.kreaturamedia.com/developers/#filter-hooks and I found there are some WordPress filters available to override the plugin default settings, however, at my first attempt to override them it didn’t worked 🙁
But a few hours later, after logging with PHP all the plugin settings, analyzing them and playing with the code as available filters, I found there’s a filter named ls_parse_defaults, which is being used multiple times by the plugin itself with a function that parses selectively just some of the settings, therefore losing your custom settings applied earlier with this or other filters.
So I used the above mentioned filter with higher priority, executing it right after the plugin uses it and this way I was able to finally apply the setting hideWelcomeMessage: true 🙂
Solution
Add the next code to your child theme functions.php:
add_filter('ls_parse_defaults', 'my_layerslider_override_settings', 11, 2);
function my_layerslider_override_settings($slider, $properties) {
$slider['attrs']['hideWelcomeMessage'] = true;
return $slider;
}
Note the priority value set to 11 when the plugin uses the filter with priority 10.
I know some of you think this is obsessive for just removing some lines of text being printed to the browser console, but I can’t leave chances to possible vulnerabilities being exploited on my website that easy. Also, this behavior is what allows me to solve problems other programmers can’t solve, it was a good challenge and code is my life (I really love what I do) 🙂
Comments
Now I can sleep with peace of mind. I know some people would prefer to ignore this and continue, but I can’t leave chances to possible vulnerabilities being exploited on my website just that easy. Also, this was a good weekend challenge to test my skills 🙂
comment 1