Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3208758

Timestamp:

12/16/2024 06:59:07 PM (14 months ago)

Author:

nahuelmahe

Message:

Update to version 3.8.23 from GitHub

Location:

Files:

: 8 edited
: 1 copied

tags/3.8.23 (copied) (copied from ninja-forms/trunk)
tags/3.8.23/includes/Display/Preview.php (modified) (3 diffs)
tags/3.8.23/ninja-forms.php (modified) (2 diffs)
tags/3.8.23/readme.txt (modified) (2 diffs)
tags/3.8.23/vendor/composer/installed.php (modified) (2 diffs)
trunk/includes/Display/Preview.php (modified) (3 diffs)
trunk/ninja-forms.php (modified) (2 diffs)
trunk/readme.txt (modified) (2 diffs)
trunk/vendor/composer/installed.php (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

ninja-forms/tags/3.8.23/includes/Display/Preview.php

-                      r3110508
+                      r3208758
  * Class NF_Display_Preview
  */
 final class NF_Display_Preview
+class NF_Display_Preview
+{
-    protected $form_id = '';
     protected $_form_id = '';
     public function __construct()
+    {
         if ( ! isset( $_GET['nf_preview_form'] ) ) return;
+  public function __construct()
+  {
+    $this->_form_id = $this->constructFormId();
+        $this->_form_id = WPN_Helper::sanitize_text_field($_GET['nf_preview_form']);
+    if(is_null($this->_form_id)){
+      return;
+    }
+    add_action('pre_get_posts', array($this, 'pre_get_posts'));
+        add_action( 'pre_get_posts', array( $this, 'pre_get_posts' ) );
+    add_filter('the_title', array($this, 'the_title'));
+    remove_filter('the_content', 'wpautop');
+    remove_filter('the_excerpt', 'wpautop');
+    add_filter('the_content', array($this, 'the_content'), 9001);
+    add_filter('get_the_excerpt', array($this, 'the_content'));
+    //switched from template_include to template redirect filter hook to work with block-based (FSE) themes
+    add_filter('template_redirect', array($this, 'template_include'));
+        add_filter('the_title', array( $this, 'the_title' ) );
+        remove_filter( 'the_content', 'wpautop' );
+        remove_filter( 'the_excerpt', 'wpautop' );
+        add_filter('the_content', array( $this, 'the_content' ), 9001 );
+        add_filter('get_the_excerpt', array( $this, 'the_content' ) );
+        //switched from template_include to template redirect filter hook to work with block-based (FSE) themes
+        add_filter('template_redirect', array( $this, 'template_include' ) );
+        add_filter('post_thumbnail_html', array( $this, 'post_thumbnail_html' ) );
+    }
+    add_filter('post_thumbnail_html', array($this, 'post_thumbnail_html'));
+  }
     public function pre_get_posts( $query )
 …
     function the_content()
+    {
         if ( ! is_user_logged_in() ) return esc_html__( 'You must be logged in to preview a form.', 'ninja-forms' );
+        if ( !$this->userCanViewPreview() ) return esc_html__( 'You must be logged in and have form privileges to preview a form.', 'ninja-forms' );
         // takes into account if we are trying to preview a non-published form
 …
                      || ! is_numeric( $tmp_id_test[ 1 ] ) ) ) ) {
             return esc_html__( 'You must provide a valid form ID.', 'ninja-forms' );
+        }
-        return do_shortcode( "[nf_preview id='". esc_attr($this->_form_id) . "']" );
+    }
+    /**
+     * Locate_template will be loaded using second argument of the get_query_templates() function
+     * First argument will be prefixed with _template to create a hook
+     * @return void
+    return do_shortcode("[nf_preview id='" . esc_attr($this->_form_id) . "']");
+  }
+  /**
+   * Construct the form id
+   *
+   * Check for GET parameter, then sanitize.  Failures return null
+   *
+   * @return string|null
+   */
+  protected function constructFormId()
+  {
+    $return = null;
+    $previewParameter = $this->extractPreviewGetParameter();
+    if (is_null($previewParameter)) {
+      return $return;
+    }
+    $sanitizedFormId = $this->sanitizeFormId($previewParameter);
+    if (is_null($sanitizedFormId)) {
+      return $return;
+    }
+    return $sanitizedFormId;
+  }
+      /**
+     * Return the GET parameter for form preview id
+     *
+     * @return string|null
      */
+    protected function extractPreviewGetParameter()
+    {
+      $return = null;
+      if ( isset( $_GET['nf_preview_form'] ) ){
+        $return = $_GET['nf_preview_form'];
+      }
+      return $return;
+    }
+  /**
+   * Ensure form Id is only integer or tmp-*
+   *
+   * If disallowed structure is found, return null
+   *
+   * @param int|string $unsanitizedFormId
+   * @return int|string|null
+   */
+  protected function sanitizeFormId($unsanitizedFormId)
+  {
+    $return = null;
+    $wpSanitized = WPN_Helper::sanitize_text_field($unsanitizedFormId);
+    if(is_int($wpSanitized) ||
+    is_string($wpSanitized) && ctype_digit($wpSanitized) ){
+      $return = $wpSanitized;
+      return $return;
+    }
+    if(!is_string($wpSanitized)){
+      return $return;
+    }
+    $return = $this->sanitizeForUnpublishedFormId($wpSanitized);
+    return $return;
+  }
+  /**
+   * Allow non-integer-like values form unpublished form
+   *
+   * Uses format tmp-***
+   *
+   * @param string $incoming
+   * @return void
+   */
+  protected function sanitizeForUnpublishedFormId(string $incoming)
+  {
+    $return = null;
+    if (strpos($incoming, 'tmp-') === 0) {
+      $prefixRemoved = str_replace('tmp-', '', $incoming);
+      if (ctype_digit($prefixRemoved)) {
+        $return = $incoming;
+      }
+    }
+    return $return;
+  }
+  /**
+   * Does user have permission to preview forms?
+   *
+   * @return boolean
+   */
+  protected function userCanViewPreview(): bool
+  {
+    $return = true;
+    if (! is_user_logged_in() || !current_user_can(apply_filters('ninja_forms_admin_all_forms_capabilities', 'manage_options'))) {
+      $return = false;
+    }
+    return $return;
+  }
+  /**
+   * Locate_template will be loaded using second argument of the get_query_templates() function
+   * First argument will be prefixed with _template to create a hook
+   * @return void
+   */
     function template_include()
+    {

ninja-forms/tags/3.8.23/ninja-forms.php

-                      r3205797
+                      r3208758
 Plugin URI: http://ninjaforms.com/?utm_source=WordPress&utm_medium=readme
 Description: Ninja Forms is a webform builder with unparalleled ease of use and features.
 Version: 3.8.22
+Version: 3.8.23
 Author: Saturday Drive
 Author URI: http://ninjaforms.com/?utm_source=Ninja+Forms+Plugin&utm_medium=Plugins+WP+Dashboard
 …
      */
     const VERSION = '3.8.22';
+    const VERSION = '3.8.23';
     /**

ninja-forms/tags/3.8.23/readme.txt

-                      r3205797
+                      r3208758
 Requires at least: 6.5
 Tested up to: 6.7
 Stable tag: 3.8.22
+Stable tag: 3.8.23
 Requires PHP: 7.4
 …
 == Upgrade Notice ==
 = 3.8.22 (10 December 2024) =
 *Bug Fixes:*
 - Update timing for widget loading on page builders
+= 3.8.23 (16 December 2024)
+*Bug Fixes:*
+- Ensure only permitted form previews are available to a given user
 == Changelog ==
+= 3.8.23 (16 December 2024)
+*Bug Fixes:*
+- Ensure only permitted form previews are available to a given user
 = 3.8.22 (10 December 2024) =
 *Bug Fixes:*

ninja-forms/tags/3.8.23/vendor/composer/installed.php

-                      r3205797
+                      r3208758
     'root' => array(
         'name' => 'saturday-drive/ninja-forms',
         'pretty_version' => 'dev-ccccaaafe850b16a48ac6ec4509164d26eb28fcb',
         'version' => 'dev-ccccaaafe850b16a48ac6ec4509164d26eb28fcb',
         'reference' => 'ccccaaafe850b16a48ac6ec4509164d26eb28fcb',
+        'pretty_version' => 'dev-46478907677c6e1b880f7058e592dd6f766a86ef',
+        'version' => 'dev-46478907677c6e1b880f7058e592dd6f766a86ef',
+        'reference' => '46478907677c6e1b880f7058e592dd6f766a86ef',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
 …
     'versions' => array(
         'saturday-drive/ninja-forms' => array(
             'pretty_version' => 'dev-ccccaaafe850b16a48ac6ec4509164d26eb28fcb',
             'version' => 'dev-ccccaaafe850b16a48ac6ec4509164d26eb28fcb',
             'reference' => 'ccccaaafe850b16a48ac6ec4509164d26eb28fcb',
+            'pretty_version' => 'dev-46478907677c6e1b880f7058e592dd6f766a86ef',
+            'version' => 'dev-46478907677c6e1b880f7058e592dd6f766a86ef',
+            'reference' => '46478907677c6e1b880f7058e592dd6f766a86ef',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',

ninja-forms/trunk/includes/Display/Preview.php

-                      r3110508
+                      r3208758
  * Class NF_Display_Preview
  */
 final class NF_Display_Preview
+class NF_Display_Preview
+{
-    protected $form_id = '';
     protected $_form_id = '';
     public function __construct()
+    {
         if ( ! isset( $_GET['nf_preview_form'] ) ) return;
+  public function __construct()
+  {
+    $this->_form_id = $this->constructFormId();
+        $this->_form_id = WPN_Helper::sanitize_text_field($_GET['nf_preview_form']);
+    if(is_null($this->_form_id)){
+      return;
+    }
+    add_action('pre_get_posts', array($this, 'pre_get_posts'));
+        add_action( 'pre_get_posts', array( $this, 'pre_get_posts' ) );
+    add_filter('the_title', array($this, 'the_title'));
+    remove_filter('the_content', 'wpautop');
+    remove_filter('the_excerpt', 'wpautop');
+    add_filter('the_content', array($this, 'the_content'), 9001);
+    add_filter('get_the_excerpt', array($this, 'the_content'));
+    //switched from template_include to template redirect filter hook to work with block-based (FSE) themes
+    add_filter('template_redirect', array($this, 'template_include'));
+        add_filter('the_title', array( $this, 'the_title' ) );
+        remove_filter( 'the_content', 'wpautop' );
+        remove_filter( 'the_excerpt', 'wpautop' );
+        add_filter('the_content', array( $this, 'the_content' ), 9001 );
+        add_filter('get_the_excerpt', array( $this, 'the_content' ) );
+        //switched from template_include to template redirect filter hook to work with block-based (FSE) themes
+        add_filter('template_redirect', array( $this, 'template_include' ) );
+        add_filter('post_thumbnail_html', array( $this, 'post_thumbnail_html' ) );
+    }
+    add_filter('post_thumbnail_html', array($this, 'post_thumbnail_html'));
+  }
     public function pre_get_posts( $query )
 …
     function the_content()
+    {
         if ( ! is_user_logged_in() ) return esc_html__( 'You must be logged in to preview a form.', 'ninja-forms' );
+        if ( !$this->userCanViewPreview() ) return esc_html__( 'You must be logged in and have form privileges to preview a form.', 'ninja-forms' );
         // takes into account if we are trying to preview a non-published form
 …
                      || ! is_numeric( $tmp_id_test[ 1 ] ) ) ) ) {
             return esc_html__( 'You must provide a valid form ID.', 'ninja-forms' );
+        }
-        return do_shortcode( "[nf_preview id='". esc_attr($this->_form_id) . "']" );
+    }
+    /**
+     * Locate_template will be loaded using second argument of the get_query_templates() function
+     * First argument will be prefixed with _template to create a hook
+     * @return void
+    return do_shortcode("[nf_preview id='" . esc_attr($this->_form_id) . "']");
+  }
+  /**
+   * Construct the form id
+   *
+   * Check for GET parameter, then sanitize.  Failures return null
+   *
+   * @return string|null
+   */
+  protected function constructFormId()
+  {
+    $return = null;
+    $previewParameter = $this->extractPreviewGetParameter();
+    if (is_null($previewParameter)) {
+      return $return;
+    }
+    $sanitizedFormId = $this->sanitizeFormId($previewParameter);
+    if (is_null($sanitizedFormId)) {
+      return $return;
+    }
+    return $sanitizedFormId;
+  }
+      /**
+     * Return the GET parameter for form preview id
+     *
+     * @return string|null
      */
+    protected function extractPreviewGetParameter()
+    {
+      $return = null;
+      if ( isset( $_GET['nf_preview_form'] ) ){
+        $return = $_GET['nf_preview_form'];
+      }
+      return $return;
+    }
+  /**
+   * Ensure form Id is only integer or tmp-*
+   *
+   * If disallowed structure is found, return null
+   *
+   * @param int|string $unsanitizedFormId
+   * @return int|string|null
+   */
+  protected function sanitizeFormId($unsanitizedFormId)
+  {
+    $return = null;
+    $wpSanitized = WPN_Helper::sanitize_text_field($unsanitizedFormId);
+    if(is_int($wpSanitized) ||
+    is_string($wpSanitized) && ctype_digit($wpSanitized) ){
+      $return = $wpSanitized;
+      return $return;
+    }
+    if(!is_string($wpSanitized)){
+      return $return;
+    }
+    $return = $this->sanitizeForUnpublishedFormId($wpSanitized);
+    return $return;
+  }
+  /**
+   * Allow non-integer-like values form unpublished form
+   *
+   * Uses format tmp-***
+   *
+   * @param string $incoming
+   * @return void
+   */
+  protected function sanitizeForUnpublishedFormId(string $incoming)
+  {
+    $return = null;
+    if (strpos($incoming, 'tmp-') === 0) {
+      $prefixRemoved = str_replace('tmp-', '', $incoming);
+      if (ctype_digit($prefixRemoved)) {
+        $return = $incoming;
+      }
+    }
+    return $return;
+  }
+  /**
+   * Does user have permission to preview forms?
+   *
+   * @return boolean
+   */
+  protected function userCanViewPreview(): bool
+  {
+    $return = true;
+    if (! is_user_logged_in() || !current_user_can(apply_filters('ninja_forms_admin_all_forms_capabilities', 'manage_options'))) {
+      $return = false;
+    }
+    return $return;
+  }
+  /**
+   * Locate_template will be loaded using second argument of the get_query_templates() function
+   * First argument will be prefixed with _template to create a hook
+   * @return void
+   */
     function template_include()
+    {

ninja-forms/trunk/ninja-forms.php

-                      r3205797
+                      r3208758
 Plugin URI: http://ninjaforms.com/?utm_source=WordPress&utm_medium=readme
 Description: Ninja Forms is a webform builder with unparalleled ease of use and features.
 Version: 3.8.22
+Version: 3.8.23
 Author: Saturday Drive
 Author URI: http://ninjaforms.com/?utm_source=Ninja+Forms+Plugin&utm_medium=Plugins+WP+Dashboard
 …
      */
     const VERSION = '3.8.22';
+    const VERSION = '3.8.23';
     /**

ninja-forms/trunk/readme.txt

-                      r3205797
+                      r3208758
 Requires at least: 6.5
 Tested up to: 6.7
 Stable tag: 3.8.22
+Stable tag: 3.8.23
 Requires PHP: 7.4
 …
 == Upgrade Notice ==
 = 3.8.22 (10 December 2024) =
 *Bug Fixes:*
 - Update timing for widget loading on page builders
+= 3.8.23 (16 December 2024)
+*Bug Fixes:*
+- Ensure only permitted form previews are available to a given user
 == Changelog ==
+= 3.8.23 (16 December 2024)
+*Bug Fixes:*
+- Ensure only permitted form previews are available to a given user
 = 3.8.22 (10 December 2024) =
 *Bug Fixes:*

ninja-forms/trunk/vendor/composer/installed.php

-                      r3205797
+                      r3208758
     'root' => array(
         'name' => 'saturday-drive/ninja-forms',
         'pretty_version' => 'dev-ccccaaafe850b16a48ac6ec4509164d26eb28fcb',
         'version' => 'dev-ccccaaafe850b16a48ac6ec4509164d26eb28fcb',
         'reference' => 'ccccaaafe850b16a48ac6ec4509164d26eb28fcb',
+        'pretty_version' => 'dev-46478907677c6e1b880f7058e592dd6f766a86ef',
+        'version' => 'dev-46478907677c6e1b880f7058e592dd6f766a86ef',
+        'reference' => '46478907677c6e1b880f7058e592dd6f766a86ef',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
 …
     'versions' => array(
         'saturday-drive/ninja-forms' => array(
             'pretty_version' => 'dev-ccccaaafe850b16a48ac6ec4509164d26eb28fcb',
             'version' => 'dev-ccccaaafe850b16a48ac6ec4509164d26eb28fcb',
             'reference' => 'ccccaaafe850b16a48ac6ec4509164d26eb28fcb',
+            'pretty_version' => 'dev-46478907677c6e1b880f7058e592dd6f766a86ef',
+            'version' => 'dev-46478907677c6e1b880f7058e592dd6f766a86ef',
+            'reference' => '46478907677c6e1b880f7058e592dd6f766a86ef',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: