Total 5.4.1 was updated to include an extra security check when using callback functions within shortcodes to prevent potential exploits from the core wp_ajax_parse_media_shortcode WordPress function. Previously you could enter the name of any function within a shortcode “Callback Function” field and it would run, but now that function name must also be defined as a whitelisted function.
In order to white list functions you need to define the “VCEX_CALLBACK_FUNCTION_WHITELIST” constant via your child theme or using the Code Snippets plugin and it should return an array of functions that can be used on the site. Example:
/*
* White list functions for use in Total Theme Core shortcodes.
*/
define( 'VCEX_CALLBACK_FUNCTION_WHITELIST', array(
'my_custom_function_name_1',
'my_custom_function_name_2',
'my_custom_function_name_3',
) );We realize this is a pain in the butt, but your site safety is important!
Example of a Callback function in use:
Below is a screenshot from the Post Cards element showing an example of a field that supports a callback function.
Below is an example of the code used to make the "your_custom_callback_function_name" function available for use:
/*
* White list functions for use in Total Theme Core shortcodes.
*/
define( 'VCEX_CALLBACK_FUNCTION_WHITELIST', array(
'your_custom_callback_function_name',
) );