An excess number of option value lookups was discovered while testing Store Locator Plus® 5.13.8 where the option/label_directions was searched multiple times for a single map render. To reduce load on servers this should only happen once, at the start of the initial map rendering.
This is not a blatant “it did something wrong” or “didn’t do something it should” type of bug. This is a performance and resource usage bug and may require some new architcture.
The manifestation:
Debugging path… investigation
Looking for label_directions in the code…
The initial search through the plugins reveals places the settings are created, set, stored, and managed but not the “JavaScript hook” being fired via /wp-json (the REST API for WordPress). So we need to look deeper.
Looking for options/ in the code…
Let’s try the start of the REST API path after the generic /wp-json/store-locator-plus/v2/ part…
We can ignore the assets/ directory… but what else is in here…
Ahhh… the slp_core.js call to slplus.rest_url + ‘options/’ + attribute looks sus…a
Solution (planned for SLP 5.14)
There was a problem in slp_core.js with value testing.
Turns out an empty value causes multiple REST calls. The following is an invalid test to see if a property exists, which is what we want here. Previously it was checking the value was SET and had a “non-falsy” value. In JavaScript lots of things are “kind of true” or “kind of false” (aka Falsy), for example the empty string “” is FALSE. That is not what we want here.
In slp_core.js we ant to replace the if (!<var>) with if (! var.hasOwnProperty()) …
Cause
The call to /v2/options/label_directions was firing once for every location because the default value for the directions label is empty (“”). This was evaluating to false, which forced the SLP JavaScript to query the server to get the value, which set it to “”.
For each location that was rendered the setting was checked… “is the label for directions set?” or more accurately “Is the label for directions set and NOT empty?”. Every time it came back saying “no, it is NOT set” or rather “It IS empty” … so the code would then go ask the REST API server for the label value.
The front end sends a request back to WordPress via AJAX to request a list of locations. Part of that request encodes all of the form field entries, including the category drop down selection, into a query-encoded (key/value pairs with an & delimiter) string that is send in the formData property to the backend.
The category ID is not being parsed and filtered properly.
Looking At The Data Request
Via browser developer tools and the network I/O inspector, XHR filter…
HTTP Method: POST URL: /wp-admin/admin-ajax.php Request Payload…
You can see the formdata property in the POST body along with the encoded form data including the cat=5 entry. This is where the requests tells the back end to limit results to those that have WordPress category ID #5 attached to the location.
Diving Into The Code
On the back end the AJAX is routed through the Store Locator Plus® base plugin via the standard WordPress hooks and filters. These are setup in the SLP_AJAX class via this add_ajax_hooks method:
Where the csl_ajax_search eventually finds its way to the find_locations method.
Debugging the find_locations method it looks like the formdata variable coming in via the superglobal $_REQUEST variable is not being set properly.
Digging Into The Malformed Variables
Looking at the call stack the form data is mishandled causing the & in the query string to be encoded as &, this causes wp_parse_args() to set the property name incorrect as you can see in the debugging screenshot below.
Turns out the wp_kses_post() is too aggressive with the data munging and converts & to & which then throws wp_parse_args() for a loop.
Instead we need to use esc_url_raw() to leave most URL entities intact.
The setting to display the category selector on the front end stopped working. The Power add on is active, but with SLP 5.13.X prerelease the drop down no longer appears.
This is very likely due to escaping of output that is overly aggressive on what it filters out on the front end.
Tech Overview
The base plugin renders the map , search form and results on the front end using shortcodes. The [slplus] shortcode renders the entire UX based on a combination of HTML and secondary shortcodes. These secondary shortcodes are parsed by the SLP base plugin to do things like “put the search form here” or “put the results here”. Within each of those custom shortcodes is another set of shortcodes, for example for the search form “put the address input box here” or “put the radius selector here”.
One of those additional shortcodes is provided by the Power add on to “put the category selector drop down here”.
That is not being processed.
Code Path
SLP_Power_UI.php
This attaches the method for rendering additional SLP search form features. This method is getting called.
public function add_hooks_and_filters()
...
add_filter( 'shortcode_slp_searchelement' , array( $this , 'process_slp_search_element_shortcode' ) );
This method is not getting called when the [slplus] shortcode is rendered…
public function process_slp_search_element_shortcode( $attributes ) {
The shortcode_slp_searchelement filter is only fired from this piece of code:
SLP_UI.php
Provided by the base plugin, this handles most of the front end initialization and execution.
This line of code is being called to apply filters…
public function create_SearchElement( $attributes, $content = null ) {
$attributes = apply_filters( 'shortcode_slp_searchelement', $attributes );
Checking Call Order
⚠️ Evaluating the call execution order, the above apply_filters is being called BEFORE the power add on has run the SLP_POWER_UI add_hooks_and_filters() , noted above, to hook onto that filter call.
Power Add Hooks & Filters
Here is the call stack when Power add_hooks_and_filters is run…
The call to SLP_BaseClass_Addon->createobject_UserInterface() is fired during the execution of the ‘wp_enqueue_scripts’ action hook as defined in base_class.addon.php in the slp_init() method…
Here is the call stack , CALLED FIRST, for creating the search element:
slp_render_shortcode() is called to start this process per the WordPress add_shortcode() method in SLP_UI :: initialize().
That means do_shortcode() is being called very early —
This is due to a side effect of all the fuckery WordPress Core has been doing to deal with the block mode editor. In order to support new block themes (like Twenty Twenty Two) WP_Block->render() calls render_block_core_post_content() super early. Before any script enqueue.
WP Core: render_block_core_post_content() calls the “the_content” filter way earlier than non-block themes:
Attach creatobject_UserInterface Calls To New Hook
With the block theme, firing that method via the ‘wp_enqueue_scripts’ method is too late for WP Block Themes.
There are multiple methods that could be used to hook this, but which one will be BEFORE the WP Block rendering calls the ‘the_content’ filter AND still work for older themes?
Option 1 : Hook to ‘the_content’ filter with an earlier precedence on the weight
The main concern here is that a ‘the_content’ script does not get called everywhere a ‘wp_enqueue_scripts’ hook gets called. The question is whether AJAX and REST calls run through here.
Results
Did not work, broke a lot of features and setup in the plugin.
Option 2 : Attach to an earlier hook…
Candidates…
block_parser_class — in function parse_blocks() probably not called on non-block themes.
template_include — before template_canvas.php which appears to be before template_canvas where the first line is get_the_block_template(); the assumption is template_canvas is only called for block based themes.
Concerns
‘template_include’ hook may get called too often, but it is a classic filter that has been around for a while and should work for both block and legacy templates.
Location categories provides a way to place categories into groups that can be filtered via the administrative tools and on the front end user experience.
Managing categories is provided by the Power add on.
Technical Implementation
The underlying technology uses the built-in WordPress category management system. Some of the core functionality of adding, removing, and assigning categories is managed by WordPress and thus requires additional testing whenever WordPress posts a new release.
The Power add on extend this default functionality to provide custom administrative and user interactions with location categories.
Testing Environment (July 2022)
WordPress 6+ Store Locator Plus 5.13+ Power Add On 5.11+
Related Use Cases
The use cases are based on the WordPress plugins. Most of the processes described within apply to the MySLP SaaS implementation as well.
Assumptions
WordPress environment is setup and configured including activation of the following plugins
Store Locator Plus®
SLP Power add on
In addition map service (Google API keys) should be in place and some locations should be added to the system.
A page has been created with the [slplus] shortcode present and the map is rendering properly.
Users are logged in as a WordPress administrator (the process will be slightly different for SaaS users).
Adding Categories To Locations
Objective
Create a location category and attach it to an existing location.
User Action: Add A Location Category
Click on Store Locator Plus® | Categories in the WordPress sidebar menu.
In the left “Add New Category Form”…
Type a category name. (Restaurant)
Click Add New Category
Result
The new category should appear on the category list on the page.
Category list after adding the restaurant category.
User Action: Attach Category To Location
Click on Store Locator Plus® | Locations in the WordPress sidebar menu.
Click the Edit action icon on the first location.
Check off the box next to “Restaurants” in the Power | Categories section of the form.
Click Save.
Result
The category is assigned to the location and appears on the location table.
The location with an assigned restaurant category. This view is showing fewer columns as the Screen Options was updated to removed unused columns from the table view.
User Action: Show Category Select On Front End
Click on Store Locator Plus® | Settings in the WordPress sidebar menu.
Change the Category Selector setting to “Single Drop Down”.
Click Save
On the front end, go to the page that has the [slplus] shortcode.
Result
The search form for the map should show a category drop down.
The front end page with the [slplus] shortcode, showing the category selection filter.
User Action : Filtering Locations With Category
On the front end, go to the page that has the [slplus] shortcode.
Enter an address, choose a category.
Click “Find Locations”.
Result
Only the locations that match the search criteria, including the category filter, should be shown.
This looks like a problem with the AJAX processor on the backend. Need to look into ajax_onload.
csl_ajax_onload refs
The problem was with the Power add on trying to validate SLP location IDs when updating map markers. The intent is to NOT manipulate a map marker with an invalid ID as it can cause more problems downstream.
Resolution
DO NOT check_admin_referer() for the AJAX calls. The easiest way to check that , since we do not have an easily-accessible reference variable for “hey, I’m running an AJAX query now” is to simply ensure the nonce we want to validate even exists in the first place.
SLP 5.13.5 prerelease + Power 5.11 has a problem found during testing… the admin add locations breaks (probably a lot of other things as well).
The browser console:
This is related to moving to wp_add_inline_script() vs. the wp_localize_script() based on findings that indicate wp_localize_script() may a not work with block themes and it is really intended for i18n/l10n.
Power needs it. handle: slppower_manage_locations data stack: {"ajax_nonce":"50164ddb77"}
SLP (base plugin) needs it. handle: slp_manage_locations data stack: {"ajax_nonce":"50164ddb77"}
However, a code search shows that ONLY the base plugin admin JavaScript is using/referencing wp_data…
Why is Power setting up an enqueue of this file?
Code Analysis of enqueue_admin_javascript()…
This is always true:
if ( ! empty( $tab_js_settings ) ) {
Because this is always set further up in the code…
// All our JS will now have an AJAX_NONCE setting. $tab_js_settings = array( 'ajax_nonce' => wp_create_nonce('slp_ajax'), );
They key player here “ajax_nonce” set above is ONLY ever used here… SLP base plugin admin.js… which is only called when doing a change_option. That is fired from both the base plugin and Power add on, HOWEVER… they both reference the SLP_ADMIN.change_option() method in JavaScript.
ajax_nonce usage in JavaScript is only in SLP base plugin admin.js (SLP_ADMIN) change_option() method attached to the options property (SLP_ADMIN.options.change_option). All calls to the SLP_ADMIN.options.change_option() call
Resolution
Do not set the baseline tab_js_settings in SLP_BaseClass_Admin.php
This will stop the default (only) ajax_nonce PHP array entry from being set, effectively short-circuiting the enqueue of the script from the Power add-on.
While this fixes the issue short-term and stops overloading the tab_js_settings, if Power (or any other add on) finds it necessary to add some custom entries to the tab_js_settings array, it will break again. This is a fragile patch.
The change…
Add the handle to the JavaScript variable definition
The current setup is to hard-code the JS environment variable to “wp_data” for ALL add-ons. This will make them “fight” per the message above.
Instead of blindly referencing a generic hard-coded “wp_data” variable, let’s change that to be based on the add-on name.
This function applies filters that can be hooked to perform specific sanitization procedures for the particular metadata type and key. Does not sanitize anything on its own. Custom filters must be hooked in to do the work. The filter hook tag has the form “sanitize_{$meta_type}_meta_{$meta_key}“.
Only sanitizes specific options known to WordPress (primarily for internal use). After the value has been handled by the functions in the switch statement, it will be passed through a sanitize_option_$option filter.
That means this CANNOT be used for anything that processes HTML elements.
The Code
/**
* Sanitizes a string from user input or from the database.
*
* - Checks for invalid UTF-8,
* - Converts single `<` characters to entities
* - Strips all tags
* - Removes line breaks, tabs, and extra whitespace
* - Strips octets
*
* @param string $str String to sanitize.
* @return string Sanitized string.
*/
function sanitize_text_field( $str ) {
$filtered = _sanitize_text_fields( $str, false );
/**
* Filters a sanitized text field string.
*
* @since 2.9.0
*
* @param string $filtered The sanitized string.
* @param string $str The string prior to being sanitized.
*/
return apply_filters( 'sanitize_text_field', $filtered, $str );
}
esc_attr() Use on everything else that’s printed into an HTML element’s attribute.
esc_html() Use anytime an HTML element encloses a section of data being displayed. This WILL NOT display HTML content, it is meant for being used inside HTML and will remove your HTML.
WordPress does some odd things when it comes to managing the DOM elements, especially when it comes to JavaScript and CSS. WordPress has crafted their own creative PHP methodology for getting data from PHP into JavaScript when loading the scripts. This allows for JavaScript variables to be “pre-initialized” when the scripts are first rendered.
Useful for getting a known starting state in JavaScript based on PHP state and logic that has run up to the point that the scripts are loaded.
Not standard AT ALL given today’s single page app and other advanced methodologies just as REST queries, etc. that could do the same job.
VVV -enabled vagrant boxes are “ready to go” with real-time xDebug debugging. You’ll need to enable it after you’ve booted the guest OS by getting into the guest via command line.
Boot your vagrant box.
vagrant ssh
Once you are into the guest type…
xdebug_on
The xdebug broadcaster is now enabled for the guest OS. Any time you surf to a guest web page it will broadcast Xdebug data. Your IDE should be able to listen for xdebug publications and associate the local code to the xdebug publication. It may require that you “map” your folder structure from your IDE to the relevant server-named path, for example map ~/MyDrive/vagrant-local/www/wordpress-one/public_html to /srv/www/wordpress-one/public_html for it to associate the code in the IDE to the code in the server broadcast messages.
