Changeset 2950391

Timestamp:

08/09/2023 10:19:19 AM (3 years ago)

Author:

shorthandconnect

Message:

Created tag 1.3.29

Location:

shorthand-connect/tags/1.3.29

Files:

• . (copied) (copied from shorthand-connect/trunk)
• README.txt (modified) (3 diffs)
• includes/api.php (modified) (1 diff)
• includes/shorthand_options.php (modified) (10 diffs)
• shorthand_connect.php (modified) (6 diffs)

shorthand-connect/tags/1.3.29/README.txt

@@ -5 +5 @@
 Requires at least: 4.0
 Tested up to: 6.1
-Stable tag: 1.3.28
+Stable tag: 1.3.29
 Requires PHP: 5.6
 License: GPLv2 or later
@@ -36 +36 @@
   [
     { 
-      "query":  "/<title.(.*?)<\/title>/",
+      "query": "/<title>(.*?)<\\/title>/",
       "replace":""
     },
@@ -64 +64 @@
 == Changelog ==
 
+= 1.3.29 =
+* Security Fixes & Updates
+* JSON Post-Processing Fixes
+
 = 1.3.28 =
 * Code clean up & bug fixes

shorthand-connect/tags/1.3.29/includes/api.php

@@ -140 +140 @@
     
     do_action('sh_copy_story', $post_id, $story_id, $story);
-    unlink($zip_file);
-    
+    wp_delete_file($zip_file);
     return $story;
 }

shorthand-connect/tags/1.3.29/includes/shorthand_options.php

@@ -26 +26 @@
 ';
 
+// JSON Checker
+function validate_json($json_string) {
+    // Try to decode the JSON data. If it fails, the JSON is invalid.
+    $json_data = json_decode($json_string, true);
+
+    if (json_last_error() !== JSON_ERROR_NONE) {
+        // The JSON is invalid.
+        return false;
+    }
+
+    // Return the original JSON string if it's valid.
+    return $json_string;
+}
+
 function shand_shorthand_options()
 {
@@ -35 +49 @@
     }
     if( isset($_POST['sh_submit_hidden']) && $_POST['sh_submit_hidden'] == 'Y' && check_admin_referer( 'sh-update-configuration' ) ) {
-        update_option('sh_v2_token', sanitize_text_field($_POST['sh_v2_token']));
-    }
+        //If there's a token set, use it, if not set it to an empty string
+        $sh_v2_token = isset($_POST['sh_v2_token']) ? sanitize_text_field($_POST['sh_v2_token']) : '';
+        update_option('sh_v2_token', $sh_v2_token);
+    }
+    
     $v2_token = esc_html(get_option('sh_v2_token'));
     
     if( isset($_POST['sh_submit_hidden_two']) && $_POST['sh_submit_hidden_two'] == 'Y' && check_admin_referer( 'sh-update-configuration' ) ) {
-        update_option('sh_css', wp_kses_post($_POST['sh_css']));
-    }
-    if( isset($_POST['sh_submit_hidden_three']) && $_POST['sh_submit_hidden_three'] == 'Y' && check_admin_referer( 'sh-update-configuration' ) ) {
-        update_option('sh_permalink', sanitize_text_field($_POST['sh_permalink']));
+        //Check if there's custom CSS, if there is, use wp_kses_post() to sanitize otherwise set an empty string
+        $sh_css = isset($_POST['sh_css']) ? wp_kses_post($_POST['sh_css']) : '';
+        update_option('sh_css', $sh_css);
+    }
+
+
+    // Rather than running a rewrite flush everytime a post is submitted, run it on plugin activate/deactivate
+    function shand_rewrite_flush() {
         shand_create_post_type();
         flush_rewrite_rules();
+    }
+    register_activation_hook( __FILE__, 'shand_rewrite_flush' );
+    register_deactivation_hook( __FILE__, 'flush_rewrite_rules' );
+
+    if( isset($_POST['sh_submit_hidden_three']) && $_POST['sh_submit_hidden_three'] == 'Y' && check_admin_referer( 'sh-update-configuration' ) ) {
+        //Check if there's custom permalink, if there is, use sanitize_text_field() to sanitize potential HTML and then set an empty string
+        $sh_permalink = isset($_POST['sh_permalink']) ? sanitize_text_field($_POST['sh_permalink']) : '';
+        update_option('sh_permalink', $sh_permalink);
+        shand_rewrite_flush();
     }
     $permalink_structure = esc_html(get_option('sh_permalink'));
@@ -63 +93 @@
     }
 
-    if (isset($_POST['sh_submit_hidden_four']) && $_POST['sh_submit_hidden_four'] == 'Y' && check_admin_referer( 'sh-update-configuration' )) {
-        update_option('sh_regex_list', base64_encode(wp_unslash($_POST['sh_regex_list'])));
-    }
+if (isset($_POST['sh_submit_hidden_four']) && $_POST['sh_submit_hidden_four'] == 'Y' && check_admin_referer('sh-update-configuration')) {
+    $sh_regex_list = isset($_POST['sh_regex_list']) ? wp_unslash($_POST['sh_regex_list']) : '';
+
+    if (empty($sh_regex_list)) {
+        // Update the option with an empty value if the input is empty
+        update_option('sh_regex_list', '');
+    } else {
+        // Validate if it's a valid JSON without sanitizing
+        $sh_regex_list = validate_json($sh_regex_list);
+
+        if ($sh_regex_list !== false) {
+            // Since we are storing it as base64, no need to sanitize the JSON, as base64_encode will handle that
+            update_option('sh_regex_list', base64_encode($sh_regex_list));
+        } else {
+            // Handle invalid JSON error here.
+        }
+    }
+}
+
+
 
     $sh_regex_list = base64_decode(get_option('sh_regex_list'));
@@ -80 +127 @@
   
     $profile = sh_get_profile();
-    $n_once = wp_nonce_field( 'sh-update-configuration' );
-
-?>
-    <h3>Shorthand API Configuration</h3>
+
+    ob_start();
+    wp_nonce_field( 'sh-update-configuration' );
+    $n_once  = ob_get_clean();
+
+?>  
+<div class="container">
+    <div class="py-1">
+    <h1>Shorthand API Configuration</h1>
+    <h2>Shorthand Connect Status</h2>
     <form name="form1" method="post">
         <?php echo $n_once ?>
@@ -89 +142 @@
         <table class="form-table"><tbody>
         <tr class="v2row">
-            <th scope="row"><label for="sh_v2_token"><?php _e("Shorthand Team Token", 'sh-v2-token' ); ?></label></th>
+            <th scope="row"><label for="sh_v2_token"><?php esc_html_e("Shorthand Team Token", 'sh-v2-token' ); ?></label></th>
             <td><input type="text" id="sh_v2_token" name="sh_v2_token" value="<?php echo esc_attr($v2_token); ?>" size="28"></td>
         </tr>
         </tbody></table>
-        <p class="submit">
-            <input type="submit" name="Submit" class="button-primary" value="<?php esc_attr_e('Save Changes') ?>" />
-        </p>
-        <hr />
-    </form>
-    <h3>Shorthand Connect Status</h3>
-    <?php if ($profile) { ?>
+        <?php if ($profile) { ?>
         <p class="status">Successfully connected</p>
-        <p><strong>Username</strong>: <?php echo $profile->username; ?></p>
+        <p><strong>Username</strong>: <?php echo esc_html($profile->username); ?></p>
     <?php } else { ?>
         <p class="status warn">Not Connected</p>
     <?php } ?>
     <div style='clear:both'></div>
-    <h3>Shorthand Permalink Structure</h3>
+        <p class="submit">
+            <input type="submit" name="Submit" class="button-primary" value="<?php esc_attr_e('Save Changes') ?>" />
+        </p>
+    </form>
+    </div>
+
+
+    <div class="py-1">
+    <h2>Shorthand Permalink Structure</h2>
         <p>Use this to set the permalink structure of Shorthand story URLs</p>
-        <form name="form2" method="post">
+        <form name="permalinks" method="post">
             <?php echo $n_once ?>
             <input type="hidden" name="sh_submit_hidden_three" value="Y" />
@@ -118 +173 @@
             </p>
         </form>
-
-
-
-    <h3>Shorthand Story Page CSS (theme wide CSS)</h3>
+    </div>
+
+    <div class="py-1">
+    <h2>Shorthand Story Page CSS (theme wide CSS)</h2>
         <p>Use this CSS to customise Shorthand Story pages to better suit your theme</p>
         <?php if ($no_css) { ?>
             <p class="status warn">No custom CSS found, using default theme CSS</p>
         <?php }?>
-        <form name="form2" method="post">
+        <form name="themecss" method="post">
             <?php echo $n_once ?>
             <input type="hidden" name="sh_submit_hidden_two" value="Y" />
@@ -134 +189 @@
             </p>
         </form>
-
-    <h3>Post-processing</h3>
+        </div>
+
+    <div class="py-1">  
+    <h2>Post-processing</h2>
         <p>Use this to create a JSON object of regex queries and replacements.</p>
         <p><em>This Example removes title tags from within the head tag by replacing it with nothing.</em></p>
 <pre><code>
-  {
-    "head":
-    [
-      {
-        &quot;query&quot;:&quot;/&lt;title.(.*?)&lt;\/title&gt;/&quot;,
-        &quot;replace&quot;:&quot;&quot;
-      }
-    ],
-    "body":[]
-  }
+{
+  "head": [
+    {
+      &quot;query&quot;: &quot;/&lt;title&gt;(.*?)&lt;\\/title&gt;/&quot;,
+      &quot;replace&quot;: &quot;&quot;
+    }
+  ],
+  "body": []
+}
+
 </code></pre>
-        <form name="form2" method="post" onsubmit="padJson()">
+        <form name="postprocessing" method="post">
             <?php echo $n_once ?>
             <input type="hidden" name="sh_submit_hidden_four" value="Y" />
@@ -160 +217 @@
         <script>
             let textarea = document.querySelector("textarea#sh_regex_list");
-  
-            function padJson() {
-                console.log('updated JSON');
-                textarea.value = textarea.value.replace(/\\/g, '\\\\');
-            }
-            
-            
+        
             textarea.addEventListener("keyup", function(event) {
                 try{
@@ -183 +234 @@
             });
         </script>
-
-    <style>
+    </div>
+    
+    <div class="py-1">
+        <h2>Experimental Features</h2>
+        <p>Early access features that are still subject to change.</p>
+        <form name="form_experimental" method="post">
+        <?php echo $n_once ?>
+        <input type="hidden" name="sh_submit_hidden_experimental" value="Y" />
+        <input type="checkbox" id="sh_media_cron_offload" name="sh_media_cron_offload" value="true" <?php echo esc_attr($sh_media_cron_offload ? 'checked' : '') ?> />
+        <label for="sh_media_cron_offload">Import media assets via cron</label>
+        <p>Assets will be fetched after story save to prevent potential execution timeouts. Media won't be immediately available on save but progress will be updated based on the `media_status` field.</p>
+        <p>It is advised that Shorthand Story Posts are saved as a draft first to trigger the cron job prior to public publishing.</p>
+        <br/>
+        <input type="checkbox" id="sh_disable_acf" name="sh_disable_acf" value="true" <?php echo esc_attr($sh_disable_acf ? 'checked' : '') ?> />
+        <label for="sh_disable_acf">Disable Advanced Custom Fields</label>
+        <p>Used to prevent any potential issues that could cause the Shorthand Custom Fields to become hidden by Advanced Custom Fields.</p>
+        </br>
+        <p class="submit">
+        <input type="submit" name="Submit" class="button-primary" value="<?php esc_attr_e('Save Changes') ?>" />
+        </p>
+        </form>
+        </div>
+    </div>
+        </div>
+<style>
+        .py-1 {
+            padding: 1em;
+        }
+        .bg-white {
+            background: white;
+        }
+        .container {
+            max-width: 980px;
+        }
         img.grav {
             float: left;
@@ -205 +288 @@
             display:none;
         }
-
+        #wpfooter {
+            position: unset;
+        }
         code {
-  font-family: monospace;
-  display: inherit;
-}
+            font-family: monospace;
+            display: inherit;
+        }
     </style>
 
-<h3>Experimental Features</h3>
-<p>Early access features that are still subject to change.</p>
-<form name="form_experimental" method="post">
-<?php echo $n_once ?>
-<input type="hidden" name="sh_submit_hidden_experimental" value="Y" />
-<input type="checkbox" id="sh_media_cron_offload" name="sh_media_cron_offload" value="true" <?php echo esc_attr($sh_media_cron_offload ? 'checked' : '') ?> />
-<label for="sh_media_cron_offload">Import media assets via cron</label>
-<p>Assets will be fetched after story save to prevent potential execution timeouts. Media won't be immediately available on save but progress will be updated based on the `media_status` field.</p>
-<p>It is advised that Shorthand Story Posts are saved as a draft first to trigger the cron job prior to public publishing.</p>
-<br/>
-<input type="checkbox" id="sh_disable_acf" name="sh_disable_acf" value="true" <?php echo esc_attr($sh_disable_acf ? 'checked' : '') ?> />
-<label for="sh_disable_acf">Disable Advanced Custom Fields</label>
-<p>Used to prevent any potential issues that could cause the Shorthand Custom Fields to become hidden by Advanced Custom Fields.</p>
-</br>
-<p class="submit">
-<input type="submit" name="Submit" class="button-primary" value="<?php esc_attr_e('Save Changes') ?>" />
-</p>
-</form>
+
 <?php
 }

shorthand-connect/tags/1.3.29/shorthand_connect.php

@@ -3 +3 @@
 /**
  * @package Shorthand Connect
- * @version 1.3.28
+ * @version 1.3.29
  */
 /*
@@ -10 +10 @@
 Description: Import your Shorthand stories into your Wordpress CMS as simply as possible - magic!
 Author: Shorthand
-Version: 1.3.28
+Version: 1.3.29
 Author URI: http://shorthand.com
 */
 
-if (file_exists('config.php')) {
-    include_once('config.php');
+if (file_exists( plugin_dir_path( __FILE__) . 'config.php')) {
+    include_once( plugin_dir_path( __FILE__) . 'config.php');
 } else {
-    require_once('config.default.php');
-}
-require_once('includes/api.php');
-require_once('includes/mass_pull.php');
-
-require_once('includes/shorthand_options.php');
-require_once('templates/abstract.php');
+    require_once( plugin_dir_path( __FILE__) . 'config.default.php');
+}
+require_once( plugin_dir_path( __FILE__) . 'includes/api.php');
+require_once( plugin_dir_path( __FILE__) . 'includes/mass_pull.php');
+
+require_once( plugin_dir_path( __FILE__) . 'includes/shorthand_options.php');
+require_once( plugin_dir_path( __FILE__) . 'templates/abstract.php');
 
 if ( !function_exists('WP_Filesystem') ) {
@@ -341 +341 @@
     }
 
-    if (!$noabstract && isset($_REQUEST['abstract'])) {
-        update_post_meta($post_id, 'abstract', wp_kses_post($_REQUEST['abstract']));
-    } else if ($noabstract && get_post_meta($post_id, 'abstract')) {
-        delete_post_meta($post_id, 'abstract');
-    }
-
-    if (!get_post_meta($post_id, 'no_update')) {
-        update_post_meta($post_id, 'no_update', "false");
-    }
-
-    if (isset($_REQUEST['extra_html'])) {
-        update_post_meta($post_id, 'extra_html', wp_kses_post($_REQUEST['extra_html']));
-    }
-    
-    $do_update_story = isset($_REQUEST['shand_update']) || get_post_meta($post_id, 'no_update')[0] !== "true";
+    //Check if these fields are nonce_verified
+    if (isset($_POST['eventmeta_noncename']) && wp_verify_nonce(sanitize_text_field($_POST['eventmeta_noncename']), plugin_basename(__FILE__))) {
+        if (!$noabstract && isset($_REQUEST['abstract'])) {
+            update_post_meta($post_id, 'abstract', wp_kses_post($_REQUEST['abstract']));
+        } else if ($noabstract && get_post_meta($post_id, 'abstract')) {
+            delete_post_meta($post_id, 'abstract');
+        }
+    
+        if (!get_post_meta($post_id, 'no_update')) {
+            update_post_meta($post_id, 'no_update', "false");
+        }
+
+        if (isset($_REQUEST['extra_html'])) {
+            update_post_meta($post_id, 'extra_html', wp_kses_post($_REQUEST['extra_html']));
+        }
+    }
+    
+    $do_update_story = isset($_REQUEST['shand_update']) || get_post_meta($post_id, 'no_update', true) !== "true";
     
     if (isset($_REQUEST['story_id']) && $_REQUEST['story_id'] !== "" && $do_update_story) {
         update_post_meta($post_id, 'no_update', "true");
         $sh_media_cron_offload = filter_var(get_option('sh_media_cron_offload'), FILTER_VALIDATE_BOOLEAN);
-        $safe_story_id = preg_replace("/\W|_/", '', $_REQUEST['story_id']);
+
+        //Sanitize but also check if the query is GET or POST
+        if (isset($_REQUEST['story_id'])) {
+            $story_id = filter_input(INPUT_GET, 'story_id', FILTER_SANITIZE_STRING);
+            if ($story_id === null) { // If the variable is not present in the $_GET array
+                $story_id = filter_input(INPUT_POST, 'story_id', FILTER_SANITIZE_STRING);
+            }
+            $safe_story_id = preg_replace("/\W|_/", '', $story_id);
+        }
+        
+
         update_post_meta($post_id, 'story_id', sanitize_text_field($safe_story_id));
         $err = sh_copy_story($post_id, $safe_story_id, $sh_media_cron_offload);
         $story_path = sh_get_story_path($post_id, $safe_story_id);
+        
         //Sometimes the story needs to be gotten twice
         if (!isset($story_path)) {
@@ -482 +496 @@
 add_action('wp_head', 'hook_css');
 
-
 /* Get Posts Hook */
 function shand_shorthand_get_posts($query)
 {
-    if (is_home() && $query->is_main_query()) {
-        $query->set( 'post_type', array( 'post', 'shorthand_story' ) );
-    }
-    return $query;
+    if (is_admin()) {
+        return $query;
+    }
+
+    // Check if the query is the main query and it's for the front-end
+    if ($query->is_main_query() && !is_admin()) {
+        $queried_object = get_queried_object();
+        $shorthand_templates = array('single-shorthand_story.php', 'templates/single-shorthand_story.php', 'template-parts/single-shorthand_story.php');
+
+        // Check if the queried object uses a Shorthand Post template from the array
+        if ($queried_object 
+            && isset($queried_object->ID) 
+            && in_array(get_page_template_slug($queried_object->ID), $shorthand_templates)) {
+            
+            // Get the current post type(s)
+            $post_type = $query->get('post_type');
+            
+            // If the post type hasn't been modified, then add the shorthand post type
+            if (empty($post_type) || $post_type == 'post') {
+                $query->set('post_type', array('post', 'shorthand_story'));
+            }
+        }
+    }
+    return $query;
 }
 add_filter('pre_get_posts', 'shand_shorthand_get_posts');
@@ -519 +552 @@
 function shand_shorthand_activate()
 {
+    flush_rewrite_rules();
     shand_create_post_type();
-    flush_rewrite_rules();
 }
 register_activation_hook(__FILE__, 'shand_shorthand_activate');
@@ -562 +595 @@
     $extra_html = get_post_meta($post->ID, 'extra_html', true);
     echo '<input type="hidden" name="eventmeta_noncename" id="eventmeta_noncename" value="' .
-        wp_create_nonce(plugin_basename(__FILE__)) . '" />';
+        esc_attr(wp_create_nonce(plugin_basename(__FILE__))) . '" />';
     echo '<textarea id="codearea" name="extra_html">' . esc_textarea($extra_html) . '</textarea>';
 }