GDPR banner: duplicate Accept/Deny controls when custom message contains links #144
Description
Description
When the consent banner's custom message (opt_out_message) contains HTML links (e.g., "Accept or Deny" as <a> tags from a legacy configuration), the banner displays duplicate interactive controls:
- "Accept or Deny" text links inside the message body
- "Decline" and "Accept" styled buttons rendered by
GDPRService::getBannerHtml()
This creates a confusing UX where users see two sets of controls for the same action.
Evidence
Screenshot from the SlimStat website shows both link-based and button-based accept/deny controls rendered simultaneously in the banner.
Root Cause
GDPRService.php:161 — the custom opt_out_message is passed through wp_kses() which allows <a> tags (line 177), so any links in the stored message persist alongside the new button pair rendered at lines 190-198.
The banner at GDPRService.php:202-213 always renders Accept/Decline buttons regardless of what the custom message contains.
Code References
| File | Lines | Description |
|---|---|---|
src/Services/GDPRService.php |
161-180 | Custom message loaded and sanitized (allows <a> tags) |
src/Services/GDPRService.php |
190-213 | Buttons always rendered + final banner HTML |
admin/config/index.php |
150-159 | opt_out_message rich text editor setting |
Suggested Fix
Either:
- Strip interactive elements (
<a>,<button>) from the custom message before rendering alongside the new buttons - Or add a migration to clean legacy
opt_out_messagevalues that contain accept/deny links
Environment
- WP Slimstat v5.4.0
- Consent integration:
slimstat_banner