I have a CPT called Landing Pages with a mandatory Custom Field of Radio Button - it forces the user to select a contact form shortcode. The option values are specified as 3rd-party [shortcodes] - one each on a separate line. The customer selects the appropriate Radio Button and the form-shortcode is output on the frontend.
However, the recent MB update (5.9.3 – 2024-02-02) broke down these third-party forms.
As an emergency resolution, I have inserted the recommended snippet on youir Changelog page as add_filter( ‘rwmb_meta_shortcode_secure’, ‘__return_false’ );.
The snippet "disables escaping". So, my questoin is - is using this snippet a security issue and if so, is there another way to allow form shortcodes without disabling the new security fix?
Ideally, I would like to output the shortcode value without using the snippet that disables escaping. Is there a way to render third-party shortcodes without assuming the risk? Could you please guide me how to achieve it?
I'm afraid that there isn't a way to render the third-party shortcode when using Meta Box shortcode without bypassing HTML filtering. It helps you to prevent security issues so please be more careful to use the shortcode.