Format field in Attribute settings silently truncate the input

obtrusive170 · April 26, 2026, 12:12pm

WP 6.9.4, HivePress 1.7.23.

AP-Admin, Listings, Attributes, attribute name, Format (field on the bottom):

[eeb_protect_content]<a href="%value%" target="_blank">%value%</a>[/eeb_protect_content]
<button onclick="navigator.clipboard.writeText('%value%'); alert('Copied!');" style="margin-left:10px;">Copy</button>

is upon page saving turned into:

[eeb_protect_content]<a href="%value%" target="_blank">%value%</a>[/eeb_protect_content]
<button style="margin-left:10px">Copy</button>

no warning. It would be handy if it is possible to submit any code safely there. WP plugins allows inputting custom code, so HivePress may allow it too..

ihor · April 26, 2026, 10:19pm

Thanks for the feedback,

We’ll consider improving the UX by adding warnings, currently JavaScript is automatically removed for security reasons with this WordPress function wp_kses() – Function | Developer.WordPress.org

obtrusive170 · April 27, 2026, 9:12am

Plugin “Code Snippets” accepts Javascript snippets, so maybe your plugin can accept it too.

If you know a workaround to achieve what i have tried, please kindly share it with me and others who face the inability to use script in that Format field. I have mentioned this to your AI, but it did not suggest any understandable workaround (did just one attempt). I am using free theme.

ihor · April 27, 2026, 4:28pm

The easiest way is probably overriding the display format using a code snippet, please try this code snippet as a sample (replacing the attribute name):

add_filter('hivepress/v1/models/listing/attributes', function($attributes) {
    if(isset($attributes['my_custom_attribute'])) {
        $attributes['my_custom_attribute']['display_format']='any HTML or JS here';
    }

    return $attributes;
}, 1000);

Hope this helps

obtrusive170 · April 28, 2026, 6:41pm

Thank you for help, i think that it worked as a workaround (not a fix of the reported issue).

Replace 2x “my_custom_attribute” by attribute mentioned in attribute editing page (WP-Admin/Listings/Attributes/attribute name) next to “Field Name”.

Inside snippet, i have replaced “any HTML or JS here” by:

[eeb_protect_content]%value%[/eeb_protect_content] <button onclick="navigator.clipboard.writeText(\'%value%\'); alert(\'Copied!\');" style="margin-left:10px;">Copy</button>

which protect the attribute from crawlers (shortcode used by Email Encoder WP plugin) and also appends button which copies the attribute string into a clipboard (works on my desktop Firefox. I have doubts if it will work on a mobile, can not test ATM).

Another problem is that the attribute inside copy button is not protected, so the attribute value can be extracted from a source code of a page.

ihor · April 29, 2026, 10:00pm

Yes, this code snippet is a workaround – we often provide code snippets until the feature is implemented as a temporary solution. It should also be ok on mobile since the same HTML is used. If a third-party plugin you’re using hides values with JS only, without sending requests via REST API on click then there may be no way to remove the value from the HTML source code since it should be there to be revealed on click.