How to Whitelist Callback Functions for Elements

Total 5.4.1 was updated to include an extra security check when using callback functions within shortcodes to prevent potential exploits from the core wp_ajax_parse_media_shortcode WordPress function. Previously you could enter the name of any function within a shortcode “Callback Function” field and it would run, but now that function name must also be defined as a whitelisted function.

In order to white list functions you need to define the “VCEX_CALLBACK_FUNCTION_WHITELIST” constant via your child theme or using the Code Snippets plugin and it should return an array of functions that can be used on the site. Example:

/*
 * White list functions for use in Total Theme Core shortcodes.
 */
define( 'VCEX_CALLBACK_FUNCTION_WHITELIST', array(
    'my_custom_function_name_1',
    'my_custom_function_name_2',
    'my_custom_function_name_3',
) );

We realize this is a pain in the butt, but your site safety is important!

Example of a Callback function in use:

Below is a screenshot from the Post Cards element showing an example of a field that supports a callback function.

So with this example in mind, you would need to make sure that the "your_custom_callback_function_name" function is part of your whitelist array. Example:

/*
 * White list functions for use in Total Theme Core shortcodes.
 */
define( 'VCEX_CALLBACK_FUNCTION_WHITELIST', array(
    'your_custom_callback_function_name',
) );