CookieMonster-plus update (1.3.12) — WP 4.3 compatibility

The CookieMonster-plus plugin has had another big update. This supersedes the last update that dealt with the WP 4.2.3 security update that broke how and where certain shortcodes work. It also has a more general, if slightly more complicated, solution to the new behavior of WP core.

Cookie Image
C is for Conversion, that's good enough for me!

WordPress core changed up the shortcode behavior for security reasons and I understand their reasoning, but it broke plugins like CM+ that already had taken into consideration the dangers of user input being "injected" into your web page. What changed is that now they ignore any short codes that are a part of an HTML tag, but not all the parameters. So, for those who used a CM+ shortcode to fill in a form field's value, it stopped doing that with the WP 4.2.3 update.

For example

<input type='text' name='email' value='[email]'>

used to do the right thing. As of WP 4.2.3, it just left the value blank.

The way around this, as validated by WP core developers, is to have the shortcode generate the whole HTML tag. In order to do that in a robust way, I added a new shortcode to CM+ that you feed three unnamed parameters: before, cookie, and after.

This allows for mechanical translation from a tag with an embedded [cookie_name] shortcode to the new format. There are instructions for this, as well as a web-based translation tool, available from the download page.

The good news is that any other customization you're doing on WordPress pages with [firstname] or other CM+ cookie shortcodes should work as always -- as long as it isn't embedded in a parameter of an HTML tag. The even better news is that the latest version of the CM+ plugin gives us a way to use the shortcodes in the old way as well. The best news is that this means the upgrades to Paul Myers's Email Affiliate System that CM+ turned into The BEAST (Blog and Email Affiliate SysTem) should all still be viable with the security of the latest version of WordPress.

As always, feel compelled to download CookieMonster-plus and sign up for my plugin announcement list on that download page.

Leave a Comment