Changeset 3048971

Timestamp:

03/11/2024 10:22:41 AM (21 months ago)

Author:

totalpressorg

Message:

5.0.2

Location:

custom-post-types

Files:

• tags/5.0.2 (added)
• tags/5.0.2/assets (added)
• tags/5.0.2/assets/css (added)
• tags/5.0.2/assets/css/backend.css (added)
• tags/5.0.2/assets/dashboard-icon.svg (added)
• tags/5.0.2/assets/icon-256x256.png (added)
• tags/5.0.2/assets/icon.svg (added)
• tags/5.0.2/assets/js (added)
• tags/5.0.2/assets/js/backend.js (added)
• tags/5.0.2/custom-post-types.php (added)
• tags/5.0.2/includes (added)
• tags/5.0.2/includes/abstracts (added)
• tags/5.0.2/includes/abstracts/class-cpt-component.php (added)
• tags/5.0.2/includes/abstracts/class-cpt-field.php (added)
• tags/5.0.2/includes/args (added)
• tags/5.0.2/includes/args/core-admin-pages-pro.php (added)
• tags/5.0.2/includes/args/core-admin-pages.php (added)
• tags/5.0.2/includes/args/core-post-types.php (added)
• tags/5.0.2/includes/args/fields-field-group.php (added)
• tags/5.0.2/includes/args/fields-post-type.php (added)
• tags/5.0.2/includes/args/fields-repeater.php (added)
• tags/5.0.2/includes/args/fields-taxonomy.php (added)
• tags/5.0.2/includes/args/post-types-default-args.php (added)
• tags/5.0.2/includes/args/post-types-default-labels.php (added)
• tags/5.0.2/includes/args/taxonomies-default-args.php (added)
• tags/5.0.2/includes/args/taxonomies-default-labels.php (added)
• tags/5.0.2/includes/class-cpt-admin-notices.php (added)
• tags/5.0.2/includes/class-cpt-admin-pages.php (added)
• tags/5.0.2/includes/class-cpt-ajax.php (added)
• tags/5.0.2/includes/class-cpt-core.php (added)
• tags/5.0.2/includes/class-cpt-field-groups.php (added)
• tags/5.0.2/includes/class-cpt-fields.php (added)
• tags/5.0.2/includes/class-cpt-plugin.php (added)
• tags/5.0.2/includes/class-cpt-post-types.php (added)
• tags/5.0.2/includes/class-cpt-shortcodes.php (added)
• tags/5.0.2/includes/class-cpt-taxonomies.php (added)
• tags/5.0.2/includes/class-cpt-ui.php (added)
• tags/5.0.2/includes/class-cpt-utils.php (added)
• tags/5.0.2/includes/compatibilities (added)
• tags/5.0.2/includes/compatibilities/saswp.php (added)
• tags/5.0.2/includes/compatibilities/v4.php (added)
• tags/5.0.2/includes/fields (added)
• tags/5.0.2/includes/fields/class-cpt-field-checkbox.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-color.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-date.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-email.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-embed.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-file.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-html.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-link.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-map.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-number.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-password.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-post-rel.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-radio.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-range.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-repeater.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-select.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-separator.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-switch.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-tax-rel.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-tel.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-text.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-textarea.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-time.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-tinymce.php (added)
• tags/5.0.2/includes/fields/class-cpt-field-user-rel.php (added)
• tags/5.0.2/includes/functions.php (added)
• tags/5.0.2/includes/templates (added)
• tags/5.0.2/includes/templates/modal-feedback.php (added)
• tags/5.0.2/includes/templates/page-tools.php (added)
• tags/5.0.2/index.php (added)
• tags/5.0.2/languages (added)
• tags/5.0.2/languages/custom-post-types.pot (added)
• tags/5.0.2/readme.txt (added)
• trunk/custom-post-types.php (modified) (1 diff)
• trunk/includes/class-cpt-ajax.php (modified) (2 diffs)
• trunk/includes/class-cpt-fields.php (modified) (9 diffs)
• trunk/includes/class-cpt-ui.php (modified) (2 diffs)
• trunk/readme.txt (modified) (2 diffs)

custom-post-types/trunk/custom-post-types.php

@@ -8 +8 @@
 Text Domain: custom-post-types
 Domain Path: /languages/
-Version: 5.0.1
+Version: 5.0.2
 */
 

custom-post-types/trunk/includes/class-cpt-ajax.php

@@ -20 +20 @@
                 'wp_ajax_' . $action,
                 function () use ( $args ) {
-                    $nonce = ! empty( $_REQUEST['nonce'] ) && wp_verify_nonce( $_REQUEST['nonce'], CPT_NONCE_KEY );
+                    if ( empty( $_SERVER['REQUEST_METHOD'] ) ) {
+                        wp_send_json_error();
+                    }
+                    $data  = $_SERVER['REQUEST_METHOD'] === 'POST' ? $_POST : $_GET;
+                    $nonce = ! empty( $data['nonce'] ) && wp_verify_nonce( $data['nonce'], CPT_NONCE_KEY );
                     if ( ! $nonce ) {
                         wp_send_json_error();
                     }
                     foreach ( $args['required'] as $param ) {
-                        if ( empty( $_REQUEST[ $param ] ) ) {
+                        if ( empty( $data[ $param ] ) ) {
                             wp_send_json_error();
                         }
@@ -32 +36 @@
                         wp_send_json_error();
                     }
-                    $result = $args['callback']( $_REQUEST );
+                    $result = $args['callback']( $data );
                     wp_send_json_success( $result );
                 }

custom-post-types/trunk/includes/class-cpt-fields.php

@@ -19 +19 @@
             return;
         }
+
         return esc_html( 'meta-fields' . ( $parent_name ? $parent_name : '' ) . '[' . $key . ']' );
     }
@@ -35 +36 @@
         $parent_id = str_replace( '[', '-', $parent_id );
         $parent_id = str_replace( ']', '', $parent_id );
+
         return esc_html( 'meta-fields' . $parent_id . '-' . $key );
+    }
+
+    /**
+     * @param $value
+     *
+     * @return mixed|string
+     */
+    private function sanitize_recursive_value( $value ) {
+        if ( is_string( $value ) ) {
+            $value = esc_html( $value );
+        } elseif ( is_array( $value ) ) {
+            foreach ( $value as $i => $item ) {
+                $value[ $i ] = self::sanitize_recursive_value( $item );
+            }
+        }
+
+        return $value;
     }
 
@@ -51 +70 @@
             return;
         }
-        if( ! empty( $field_config['extra']['placeholder'] ) ){
-            $field_config['extra']['placeholder'] = esc_html( $field_config['extra']['placeholder'] );
-        }
-        if( ! empty( $field_config['value'] ) && is_string( $field_config['value'] ) ){
-            $field_config['value'] = esc_html( $field_config['value'] );
-        }
+        if ( ! empty( $field_config['extra']['placeholder'] ) ) {
+            $field_config['extra']['placeholder'] = esc_html( $field_config['extra']['placeholder'] );
+        }
+        if ( 'repeater' !== $field_config['type'] && ! empty( $field_config['value'] ) ) {
+            $field_config['value'] = self::sanitize_recursive_value( $field_config['value'] );
+        }
         ob_start();
         ?>
         <div
-            class="cpt-field"<?php echo ! empty( $field_config['wrap']['width'] ) ? ' style="width: ' . $field_config['wrap']['width'] . '%"' : ''; ?>
-            data-field-type="<?php echo $field_config['type']; ?>">
+                class="cpt-field"<?php echo ! empty( $field_config['wrap']['width'] ) ? ' style="width: ' . esc_html( $field_config['wrap']['width'] ) . '%"' : ''; ?>
+                data-field-type="<?php echo esc_html( $field_config['type'] ); ?>">
             <div class="cpt-field-inner">
                 <input type="hidden" name="<?php echo esc_html( $input_name ); ?>" value="">
@@ -177 +196 @@
                             'get_callback' => function ( $item ) use ( $route, $group_id, $fields, $get_callback ) {
                                 $content_id = $item['id'];
-                                $values = array();
+                                $values     = array();
                                 foreach ( $fields as $field ) {
-                                    $meta_key = $field['key'];
-                                    $output_filter = apply_filters( 'cpt_rest_output', true, $meta_key, $route, $group_id, $content_id );
+                                    $meta_key            = $field['key'];
+                                    $output_filter       = apply_filters( 'cpt_rest_output', true, $meta_key, $route, $group_id, $content_id );
                                     $values[ $meta_key ] = $get_callback( $meta_key, $content_id, $output_filter );
                                 }
+
                                 return $values;
                             },
@@ -531 +551 @@
                     function ( $key ) use ( $item_id ) {
                         $key = str_replace( '-' . $item_id, '', $key );
+
                         return ! empty( $item_id ) ? get_post_meta( $item_id, $key, true ) : null;
                     }
@@ -548 +569 @@
                     function ( $key, $value ) use ( $item_id ) {
                         $key = str_replace( '-' . $item_id, '', $key );
+
                         return update_post_meta( $item_id, $key, $value );
                     },
@@ -569 +591 @@
         $content_type_fields = cpt_utils()->get_fields_by_supports( "$content_type/$content_type_id" );
         $field_object        = ! empty( $content_type_fields[ $meta_key ] ) ? $content_type_fields[ $meta_key ] : null;
+
         return $field_object;
     }
@@ -603 +626 @@
                 );
             }
+
             return '';
         }
+
         return apply_filters( 'cpt_field_get', $meta_value, $meta_key, $meta_type, $content_type_id, $content_id );
     }
@@ -643 +668 @@
 
         $field_class = ! empty( $this->types[ $type ] ) ? $this->types[ $type ] : false;
+
         return $field_class;
     }

custom-post-types/trunk/includes/class-cpt-ui.php

@@ -58 +58 @@
      */
     public function feedback_actions() {
-        $nonce = ! empty( $_REQUEST['nonce'] ) && wp_verify_nonce( $_REQUEST['nonce'], CPT_NONCE_KEY );
+        $nonce = ! empty( $_GET['nonce'] ) && wp_verify_nonce( $_GET['nonce'], CPT_NONCE_KEY );
         if ( ! $nonce ) {
             return;
         }
 
-        $action = ! empty( $_REQUEST['action'] ) && 'cpt-feedback' == $_REQUEST['action'] ? $_REQUEST['action'] : false; //phpcs:ignore Universal.Operators.StrictComparisons
+        $action = ! empty( $_GET['action'] ) && 'cpt-feedback' == $_GET['action'] ? $_GET['action'] : false; //phpcs:ignore Universal.Operators.StrictComparisons
         if ( ! $action ) {
             return;
@@ -69 +69 @@
 
         $feedback = array();
-        if ( ! empty( $_REQUEST['reason'] ) ) {
-            $feedback[] = esc_textarea( $_REQUEST['reason'] );
-        }
-        if ( ! empty( $_REQUEST['suggestion'] ) ) {
-            $feedback[] = esc_textarea( $_REQUEST['suggestion'] );
+        if ( ! empty( $_GET['reason'] ) ) {
+            $feedback[] = esc_textarea( $_GET['reason'] );
+        }
+        if ( ! empty( $_GET['suggestion'] ) ) {
+            $feedback[] = esc_textarea( $_GET['suggestion'] );
         }
         if ( ! empty( $feedback ) ) {

custom-post-types/trunk/readme.txt

@@ -5 +5 @@
 Requires at least: 4.0
 Tested up to: 6.4
-Stable tag: 5.0.1
+Stable tag: 5.0.2
 Requires PHP: 5.6
 License: GPLv2 or later
@@ -188 +188 @@
 == Changelog ==
 
+= 5.0.2 - 2024-03-11 =
+* FIX: improve plugin self-request security;
+
 = 5.0.1 - 2024-02-16 =
 * FIX: Authenticated (Administrator+) Stored Cross-Site Scripting (thanks to Taihei Shimamine);