Changeset 3036818

Timestamp:

02/16/2024 11:40:38 AM (22 months ago)

Author:

totalpressorg

Message:

5.0.1

Location:

custom-post-types

Files:

• tags/5.0.1 (added)
• tags/5.0.1/assets (added)
• tags/5.0.1/assets/css (added)
• tags/5.0.1/assets/css/backend.css (added)
• tags/5.0.1/assets/dashboard-icon.svg (added)
• tags/5.0.1/assets/icon-256x256.png (added)
• tags/5.0.1/assets/icon.svg (added)
• tags/5.0.1/assets/js (added)
• tags/5.0.1/assets/js/backend.js (added)
• tags/5.0.1/custom-post-types.php (added)
• tags/5.0.1/includes (added)
• tags/5.0.1/includes/abstracts (added)
• tags/5.0.1/includes/abstracts/class-cpt-component.php (added)
• tags/5.0.1/includes/abstracts/class-cpt-field.php (added)
• tags/5.0.1/includes/args (added)
• tags/5.0.1/includes/args/core-admin-pages-pro.php (added)
• tags/5.0.1/includes/args/core-admin-pages.php (added)
• tags/5.0.1/includes/args/core-post-types.php (added)
• tags/5.0.1/includes/args/fields-field-group.php (added)
• tags/5.0.1/includes/args/fields-post-type.php (added)
• tags/5.0.1/includes/args/fields-repeater.php (added)
• tags/5.0.1/includes/args/fields-taxonomy.php (added)
• tags/5.0.1/includes/args/post-types-default-args.php (added)
• tags/5.0.1/includes/args/post-types-default-labels.php (added)
• tags/5.0.1/includes/args/taxonomies-default-args.php (added)
• tags/5.0.1/includes/args/taxonomies-default-labels.php (added)
• tags/5.0.1/includes/class-cpt-admin-notices.php (added)
• tags/5.0.1/includes/class-cpt-admin-pages.php (added)
• tags/5.0.1/includes/class-cpt-ajax.php (added)
• tags/5.0.1/includes/class-cpt-core.php (added)
• tags/5.0.1/includes/class-cpt-field-groups.php (added)
• tags/5.0.1/includes/class-cpt-fields.php (added)
• tags/5.0.1/includes/class-cpt-plugin.php (added)
• tags/5.0.1/includes/class-cpt-post-types.php (added)
• tags/5.0.1/includes/class-cpt-shortcodes.php (added)
• tags/5.0.1/includes/class-cpt-taxonomies.php (added)
• tags/5.0.1/includes/class-cpt-ui.php (added)
• tags/5.0.1/includes/class-cpt-utils.php (added)
• tags/5.0.1/includes/compatibilities (added)
• tags/5.0.1/includes/compatibilities/saswp.php (added)
• tags/5.0.1/includes/compatibilities/v4.php (added)
• tags/5.0.1/includes/fields (added)
• tags/5.0.1/includes/fields/class-cpt-field-checkbox.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-color.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-date.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-email.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-embed.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-file.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-html.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-link.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-map.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-number.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-password.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-post-rel.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-radio.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-range.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-repeater.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-select.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-separator.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-switch.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-tax-rel.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-tel.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-text.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-textarea.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-time.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-tinymce.php (added)
• tags/5.0.1/includes/fields/class-cpt-field-user-rel.php (added)
• tags/5.0.1/includes/functions.php (added)
• tags/5.0.1/includes/templates (added)
• tags/5.0.1/includes/templates/modal-feedback.php (added)
• tags/5.0.1/includes/templates/page-tools.php (added)
• tags/5.0.1/index.php (added)
• tags/5.0.1/languages (added)
• tags/5.0.1/languages/custom-post-types.pot (added)
• tags/5.0.1/readme.txt (added)
• trunk/custom-post-types.php (modified) (1 diff)
• trunk/includes/class-cpt-field-groups.php (modified) (2 diffs)
• trunk/includes/class-cpt-fields.php (modified) (5 diffs)
• trunk/includes/class-cpt-ui.php (modified) (1 diff)
• trunk/includes/compatibilities/v4.php (modified) (1 diff)
• trunk/includes/fields/class-cpt-field-html.php (modified) (1 diff)
• trunk/includes/fields/class-cpt-field-repeater.php (modified) (3 diffs)
• trunk/includes/fields/class-cpt-field-text.php (modified) (1 diff)
• trunk/readme.txt (modified) (2 diffs)

custom-post-types/trunk/custom-post-types.php

@@ -8 +8 @@
 Text Domain: custom-post-types
 Domain Path: /languages/
-Version: 5.0.0
+Version: 5.0.1
 */
 

custom-post-types/trunk/includes/class-cpt-field-groups.php

@@ -19 +19 @@
      */
     public function init_hooks() {
-        add_action( 'init', array( $this, 'init_field_groups' ) );
+        add_action( 'init', array( $this, 'init_field_groups' ), PHP_INT_MAX );
     }
 
@@ -147 +147 @@
             }
 
-            $field_group['label'] = esc_html( $field_group['label'] );
-
             foreach ( $supports as $content ) {
                 $type = ! empty( $content['type'] ) ? $content['type'] : self::SUPPORT_TYPE_CPT;

custom-post-types/trunk/includes/class-cpt-fields.php

@@ -51 +51 @@
             return;
         }
+        if( ! empty( $field_config['extra']['placeholder'] ) ){
+            $field_config['extra']['placeholder'] = esc_html( $field_config['extra']['placeholder'] );
+        }
+        if( ! empty( $field_config['value'] ) && is_string( $field_config['value'] ) ){
+            $field_config['value'] = esc_html( $field_config['value'] );
+        }
         ob_start();
         ?>
@@ -57 +63 @@
             data-field-type="<?php echo $field_config['type']; ?>">
             <div class="cpt-field-inner">
-                <input type="hidden" name="<?php echo $input_name; ?>" value="">
+                <input type="hidden" name="<?php echo esc_html( $input_name ); ?>" value="">
                 <?php
                 printf(
                     '<div class="cpt-field-wrap%s"%s><label for="%s">%s</label><div class="input">%s</div>%s</div>',
-                    ( ! empty( $field_config['wrap']['layout'] ) ? ' ' . $field_config['wrap']['layout'] : '' ) .
+                    esc_html( ! empty( $field_config['wrap']['layout'] ) ? ' ' . $field_config['wrap']['layout'] : '' ) .
                     ( $field_config['required'] ? ' cpt-field-required' : '' ) .
-                    ( ! empty( $field_config['wrap']['class'] ) ? ' ' . $field_config['wrap']['class'] : '' ) .
-                    ( ! empty( $field_config['extra']['prepend'] ) ? ' cpt-field-prepend' : '' ) .
-                    ( ! empty( $field_config['extra']['append'] ) ? ' cpt-field-append' : '' ),
-                    ! empty( $field_config['wrap']['id'] ) ? ' id="' . $field_config['wrap']['id'] . '"' : '',
-                    $input_id,
+                    esc_html( ! empty( $field_config['wrap']['class'] ) ? ' ' . $field_config['wrap']['class'] : '' ) .
+                    esc_html( ! empty( $field_config['extra']['prepend'] ) ? ' cpt-field-prepend' : '' ) .
+                    esc_html( ! empty( $field_config['extra']['append'] ) ? ' cpt-field-append' : '' ),
+                    ! empty( $field_config['wrap']['id'] ) ? ' id="' . esc_html( $field_config['wrap']['id'] ) . '"' : '',
+                    esc_html( $input_id ),
                     wp_kses_post( $field_config['label'] ),
                     $field_type::render( $input_name, $input_id, $field_config ),
@@ -91 +97 @@
         wp_nonce_field( CPT_NONCE_KEY, 'fields-nonce' );
         ?>
-        <div class="cpt-fields-section" data-id="<?php echo $fields_group_id; ?>">
+        <div class="cpt-fields-section" data-id="<?php echo esc_html( $fields_group_id ); ?>">
             <?php
             foreach ( $fields as $field ) {
@@ -124 +130 @@
         }
         $meta_values = isset( $_POST['meta-fields'] ) ? $_POST['meta-fields'] : array();
-
-        $field_group_id = $field_group['id'];
-        $fields         = $field_group['fields'];
+        $fields      = $field_group['fields'];
 
         foreach ( $fields as $field ) {
@@ -135 +139 @@
             } elseif ( ! empty( $meta_values[ $meta_key ] ) ) {
                 $meta_value     = $meta_values[ $meta_key ];
-                $sanitize_value = apply_filters( 'cpt_field_sanitize', $meta_value, $meta_key, $meta_type, $field_group_id, $content_type, $content_id );
+                $sanitize_value = apply_filters( 'cpt_field_sanitize', $meta_value, $meta_key, $meta_type, $field_group, $content_type, $content_id );
             } else {
                 $sanitize_value = '';

custom-post-types/trunk/includes/class-cpt-ui.php

@@ -102 +102 @@
      * @return mixed|string
      */
-    public function sanitize_ui_id_fields( $meta_value, $meta_key, $meta_type, $field_group_id ) {
+    public function sanitize_ui_id_fields( $meta_value, $meta_key, $meta_type, $field_group ) {
+        $field_group_id = $field_group['id'];
         if (
             'id' == $meta_key && //phpcs:ignore Universal.Operators.StrictComparisons

custom-post-types/trunk/includes/compatibilities/v4.php

@@ -69 +69 @@
 add_filter(
     'cpt_field_sanitize',
-    function ( $meta_value, $meta_key, $meta_type, $field_group_id, $content_type, $content_id ) {
+    function ( $meta_value, $meta_key, $meta_type, $field_group, $content_type, $content_id ) {
         $meta_value = apply_filters( 'cpt_sanitize_field_' . $meta_key, $meta_value );
         $meta_value = apply_filters( 'cpt_sanitize_' . $content_id, $meta_value );

custom-post-types/trunk/includes/fields/class-cpt-field-html.php

@@ -48 +48 @@
      */
     public static function render( $input_name, $input_id, $field_config ) {
-        return ! empty( $field_config['extra']['content'] ) ? $field_config['extra']['content'] : '';
+        return ! empty( $field_config['extra']['content'] ) ? wp_kses_post( $field_config['extra']['content'] ) : '';
     }
 }

custom-post-types/trunk/includes/fields/class-cpt-field-repeater.php

@@ -126 +126 @@
         return ob_get_clean();
     }
+
+    /**
+     * @param $fields
+     *
+     * @return array
+     */
+    public static function get_repeater_fields_map( $fields ) {
+        $result = array();
+
+        foreach ( $fields as $field ) {
+            $result[ $field['key'] ] = array( 'type' => $field['type'] );
+            if ( 'repeater' == $field['type'] ) {
+                $result[ $field['key'] ]['fields'] = self::get_repeater_fields_map( $field['extra']['fields'] );
+            }
+        }
+
+        return $result;
+    }
+
+    /**
+     * @param $meta_value
+     * @param $meta_key
+     * @param $meta_type
+     * @param $field_group
+     * @param $content_type
+     * @param $content_id
+     * @param $fields
+     *
+     * @return array|mixed
+     */
+    public static function sanitize_recursive( $meta_value, $meta_key, $meta_type, $field_group, $content_type, $content_id, $fields ) {
+        if ( empty( $meta_value ) ) {
+            return $meta_value;
+        }
+
+        if ( 'extra' == $meta_key && CPT_UI_PREFIX . '_field' == $field_group['id'] ) {
+            $fields     = self::get_repeater_fields_map( cpt_fields()->get_field( $meta_type )::get_extra() );
+            $meta_value = array( $meta_value );
+        }
+
+        foreach ( $meta_value as $i => $meta_group ) {
+            foreach ( $meta_group as $key => $value ) {
+                if ( 'extra' == $key && CPT_UI_PREFIX . '_field' == $field_group['id'] ) {
+                    $meta_value[ $i ][ $key ] = self::sanitize_recursive( $value, $key, $meta_group['type'], $field_group, $content_type, $content_id, $fields );
+                } elseif ( 'repeater' == $fields[ $key ]['type'] ) {
+                    $meta_value[ $i ][ $key ] = self::sanitize_recursive( $value, $key, 'repeater', $field_group, $content_type, $content_id, $fields[ $key ]['fields'] );
+                } else {
+                    $meta_value[ $i ][ $key ] = apply_filters( 'cpt_field_sanitize', $value, $key, $fields[ $key ]['type'], $field_group, $content_type, $content_id );
+                }
+            }
+        }
+
+        return ( 'extra' == $meta_key && CPT_UI_PREFIX . '_field' == $field_group['id'] ) ? $meta_value[0] : $meta_value;
+    }
 }
 
@@ -137 +191 @@
             'callback' => function ( $params ) {
                 $fields_group_id = $params['fields-group-id'];
-                $fields = is_array( json_decode( stripslashes( $params['fields'] ), true ) ) ? json_decode( stripslashes( $params['fields'] ), true ) : array();
+                $fields          = is_array( json_decode( stripslashes( $params['fields'] ), true ) ) ? json_decode( stripslashes( $params['fields'] ), true ) : array();
                 if ( empty( $fields ) ) {
                     wp_send_json_error();
                 }
                 $parent = ! empty( $params['parent'] ) ? $params['parent'] : '';
+
                 return CPT_Field_Repeater::render_group( $fields, $parent, $fields_group_id );
             },
@@ -148 +203 @@
             'required' => array( 'field-type', 'fields-group-id' ),
             'callback' => function ( $params ) {
-                $field_type = $params['field-type'];
+                $field_type      = $params['field-type'];
                 $fields_group_id = $params['fields-group-id'];
-                $parent    = ! empty( $params['parent'] ) ? $params['parent'] : '';
-                $fields    = cpt_fields()->get_field( $field_type )::get_extra();
+                $parent          = ! empty( $params['parent'] ) ? $params['parent'] : '';
+                $fields          = cpt_fields()->get_field( $field_type )::get_extra();
                 ob_start();
                 foreach ( $fields as $field ) {
-                    $field['value']  = '';
-                    $field['parent'] = $parent . '[extra]';
+                    $field['value']           = '';
+                    $field['parent']          = $parent . '[extra]';
                     $field['fields_group_id'] = $fields_group_id;
                     echo cpt_fields()->get_field_template( $field );
                 }
+
                 return ob_get_clean();
             },
         );
+
         return $actions;
     }
 );
+
+add_filter(
+    'cpt_field_sanitize',
+    function ( $meta_value, $meta_key, $meta_type, $field_group, $content_type, $content_id ) {
+        $field_group_id = $field_group['id'];
+        if (
+            'fields' == $meta_key && //phpcs:ignore Universal.Operators.StrictComparisons
+            CPT_UI_PREFIX . '_field' == $field_group_id && //phpcs:ignore Universal.Operators.StrictComparisons
+            ! empty( $meta_value )
+        ) {
+            foreach ( $meta_value as $i => $meta_args ) {
+                $meta_value[ $i ]['key']     = sanitize_title( $meta_args['key'] );
+                $meta_value[ $i ]['wrap_id'] = sanitize_title( $meta_args['wrap_id'] );
+            }
+        }
+
+        if ( 'repeater' == $meta_type ) {
+            $fields     = CPT_Field_Repeater::get_repeater_fields_map( $field_group['fields'] )[ $meta_key ]['fields'];
+            $meta_value = CPT_Field_Repeater::sanitize_recursive( $meta_value, $meta_key, $meta_type, $field_group, $content_type, $content_id, $fields );
+        }
+
+        return $meta_value;
+    },
+    10,
+    6
+);

custom-post-types/trunk/includes/fields/class-cpt-field-text.php

@@ -57 +57 @@
      */
     public static function sanitize( $meta_value ) {
-        return sanitize_text_field( $meta_value );
+        return wp_kses_post( $meta_value );
     }
 }

custom-post-types/trunk/readme.txt

@@ -5 +5 @@
 Requires at least: 4.0
 Tested up to: 6.4
-Stable tag: 5.0.0
+Stable tag: 5.0.1
 Requires PHP: 5.6
 License: GPLv2 or later
@@ -188 +188 @@
 == Changelog ==
 
+= 5.0.1 - 2024-02-16 =
+* FIX: Authenticated (Administrator+) Stored Cross-Site Scripting (thanks to Taihei Shimamine);
+* FIX: add sanitization on repeater fields;
+* FIX: html field render only allowed HTML tags for post content;
+* FIX: post types by code on field groups assignment (thanks to @alessiac95)
+* FEAT: now text field accept allowed HTML tags for post content;
+
 = 5.0.0 - 2023-11-06 =
 * FIX: stored XSS vulnerability in admin screens with UI labels (thanks to Taihei Shimamine);