Changeset 3401073

Timestamp:

11/22/2025 08:01:05 PM (3 weeks ago)

Author:

dmccan

Message:

Sanitized shortcode inputs on save. Allowed em tags. Tested for WordPress 6.9 compatibility.

Location:

yada-wiki

Files:

• tags/3.6 (added)
• tags/3.6/css (added)
• tags/3.6/css/index.php (added)
• tags/3.6/css/yadawiki.css (added)
• tags/3.6/inc (added)
• tags/3.6/inc/functions-admin.php (added)
• tags/3.6/inc/functions-public.php (added)
• tags/3.6/inc/functions-register-cpt.php (added)
• tags/3.6/inc/functions-settings-load.php (added)
• tags/3.6/inc/functions-settings.php (added)
• tags/3.6/inc/functions-widgets.php (added)
• tags/3.6/inc/index.php (added)
• tags/3.6/inc/yadawiki-dialog-link.php (added)
• tags/3.6/inc/yadawiki-dialog-toc.php (added)
• tags/3.6/index.php (added)
• tags/3.6/js (added)
• tags/3.6/js/img (added)
• tags/3.6/js/img/wiki-link.png (added)
• tags/3.6/js/img/wiki-toc.png (added)
• tags/3.6/js/index.php (added)
• tags/3.6/js/yadawiki-button-link.js (added)
• tags/3.6/js/yadawiki-button-toc.js (added)
• tags/3.6/js/yadawiki-dialog.js (added)
• tags/3.6/lang (added)
• tags/3.6/lang/yada-wiki.pot (added)
• tags/3.6/lang/yada_wiki_domain-en_US.mo (added)
• tags/3.6/lang/yada_wiki_domain-en_US.po (added)
• tags/3.6/lang/yada_wiki_domain-es_ES.mo (added)
• tags/3.6/lang/yada_wiki_domain-es_ES.po (added)
• tags/3.6/license.txt (added)
• tags/3.6/readme.txt (added)
• tags/3.6/yada-wiki.php (added)
• trunk/inc/functions-admin.php (modified) (1 diff)
• trunk/inc/functions-public.php (modified) (2 diffs)
• trunk/inc/functions-widgets.php (modified) (2 diffs)
• trunk/readme.txt (modified) (3 diffs)
• trunk/yada-wiki.php (modified) (4 diffs)

yada-wiki/trunk/inc/functions-admin.php

@@ -163 +163 @@
         wp_die();
     }
- 
+    
+    /******************************
+    * Sanitize shortcode input on save
+    *******************************/
+    function yada_wiki_process_shortcodes_on_save($post_id, $post, $update) {
+    
+        // Only run on standard post saves, not autosave or revision
+        if ( defined('DOING_AUTOSAVE') && DOING_AUTOSAVE ) return;
+        if ( wp_is_post_revision($post_id) ) return;
+        
+        // Do we need to filter the saving of posts and pages also?
+        $options = get_option( 'yada_wiki_settings' );
+        if ( isset($options['yada_wiki_checkbox_editor_buttons_setting']) ) {
+            $allowShortcodeOnPostsAndPages = true;
+        }
+        else {
+            $allowShortcodeOnPostsAndPages = false;
+        }
+        
+        if ( $allowShortcodeOnPostsAndPages === true ) {
+            if ( $post->post_type !== 'yada_wiki' && $post->post_type !== 'post'  && $post->post_type !== 'page' ) return;
+        } else {
+            if ( $post->post_type !== 'yada_wiki') return;
+        }   
+    
+        // Prevent infinite loop
+        remove_action('save_post', 'yada_wiki_process_shortcodes_on_save', 10);
+    
+        $content = $post->post_content;
+        $content = html_entity_decode($content, ENT_QUOTES | ENT_HTML5);
+        $regex = get_shortcode_regex();
+        $has_changes = false;
+        $allowed_html = array(
+            'em' => array(), // Allow <em> with no attributes
+        );                      
+    
+        if (preg_match_all('/' . $regex . '/s', $content, $matches, PREG_SET_ORDER)) {
+            foreach ($matches as $match) {
+                if (isset($match[2]) && $match[2] === 'yadawiki') {
+                    if (isset($match[3])) {
+                        $atts = shortcode_parse_atts($match[3]);
+                        // Proceed to process $atts
+                    } else {
+                        $atts = array();
+                        // Proceed, but there will be no matches
+                    }
+                    
+                    // Sanitize attributes
+                    $atts['link'] = isset($atts['link']) ? wp_kses($atts['link'], $allowed_html) : '';      
+                    $atts['show']   = isset($atts['show']) ? wp_kses($atts['show'], $allowed_html) : '';
+                    $atts['anchor'] = isset($atts['anchor']) ? sanitize_text_field($atts['anchor']) : '';
+    
+                    // Rebuild the sanitized shortcode, always with double quotes for safety
+                    $sanitized = '[yadawiki';
+                    foreach ($atts as $key => $value) {
+                        if ($value !== '') {
+                            $sanitized .= " {$key}=\"" . esc_attr($value) . "\"";
+                        }
+                    }
+                    $sanitized .= ']';
+    
+                    // Replace the original shortcode with sanitized version
+                    $content = str_replace($match[0], $sanitized, $content);
+                    $has_changes = true;
+                } elseif (isset($match[2]) && $match[2] === 'yadawikitoc') {
+                    if (isset($match[3])) {
+                        $atts = shortcode_parse_atts($match[3]);
+                        // Proceed to process $atts
+                    } else {
+                        $atts = array();
+                        // Proceed, but there will be no matches
+                    }
+    
+                    // Sanitize attributes
+                    $atts['show_toc'] = isset($atts['show_toc']) ? sanitize_text_field($atts['show_toc']) : '';
+                    $atts['category']   = isset($atts['category']) ? sanitize_text_field($atts['category']) : '';
+                    $atts['order'] = isset($atts['order']) ? sanitize_text_field($atts['order']) : '';
+    
+                    // Rebuild the sanitized shortcode, always with double quotes for safety
+                    $sanitized = '[yadawikitoc';
+                    foreach ($atts as $key => $value) {
+                        if ($value !== '') {
+                            $sanitized .= " {$key}=\"" . esc_attr($value) . "\"";
+                        }
+                    }
+                    $sanitized .= ']';
+    
+                    // Replace the original shortcode with sanitized version
+                    $content = str_replace($match[0], $sanitized, $content);
+                    $has_changes = true;
+                }  elseif (isset($match[2]) && $match[2] === 'yadawiki-index') {
+                    if (isset($match[3])) {
+                        $atts = shortcode_parse_atts($match[3]);
+                        // Proceed to process $atts
+                    } else {
+                        $atts = array();
+                        // Proceed, but there will be no matches
+                    }
+    
+                    // Sanitize attributes
+                    $atts['type'] = isset($atts['type']) ? sanitize_text_field($atts['type']) : '';
+                    $atts['columns'] = isset($atts['columns']) ? sanitize_text_field($atts['columns']) : '';
+    
+                    // Rebuild the sanitized shortcode, always with double quotes for safety
+                    $sanitized = '[yadawiki-index';
+                    foreach ($atts as $key => $value) {
+                        if ($value !== '') {
+                            $sanitized .= " {$key}=\"" . esc_attr($value) . "\"";
+                        }
+                    }
+                    $sanitized .= ']';
+    
+                    // Replace the original shortcode with sanitized version
+                    $content = str_replace($match[0], $sanitized, $content);
+                    $has_changes = true;
+                }
+            }
+        }
+    
+        if ($has_changes) {
+            wp_update_post([
+                'ID' => $post_id,
+                'post_content' => $content
+            ]);
+        }
+    
+        // Re-add the hook
+        add_action('save_post', 'yada_wiki_process_shortcodes_on_save', 10, 3);
+    }
+
     /********************************************************
     * Funciton from Ohad Raz - https://en.bainternet.info/

yada-wiki/trunk/inc/functions-public.php

@@ -15 +15 @@
         'anchor' => '',
     ), $atts ) ); 
-    
+    
     $link = sanitize_text_field($link);
     $show = sanitize_text_field($show);
@@ -43 +43 @@
     );
     if($target) { $target=$target[0]; } 
-    
+    // Search again in case the page title has em tags around it by removing them for the search
+    if(!$target) { 
+        $target = get_posts(
+            array(
+                'post_type'              => 'yada_wiki',
+                'title'                  => sanitize_text_field($wiki_page),
+                'post_status'            => 'all',
+                'numberposts'            => 1,
+                'update_post_term_cache' => false,
+                'update_post_meta_cache' => false,           
+                'orderby'                => 'post_date ID',
+                'order'                  => 'ASC',
+            )
+        );
+        if($target) { $target=$target[0]; } 
+    }
+
     if($anchor_jump) {
         $firstchar = substr($anchor_jump,0,1);

yada-wiki/trunk/inc/functions-widgets.php

@@ -17 +17 @@
         if( $instance) {
             $title      = esc_attr($instance['title']);
+            $title      = sanitize_text_field($instance['title']);
             $category   = $instance['category'];
             $order      = $instance['order'];
@@ -213 +214 @@
         if( $instance) {
             $title      = esc_attr($instance['title']);
+            $title      = sanitize_text_field($instance['title']);
             $num_posts  = $instance['num_posts'];
             $show_date  = isset( $instance['show_date'] ) ? (bool) $instance['show_date'] : false;

yada-wiki/trunk/readme.txt

@@ -3 +3 @@
 Tags: wiki, shortcode, page links, faq, knowledge base
 Requires at least: 4.1
-Tested up to: 6.8
-Stable tag: 3.5
+Tested up to: 6.9
+Stable tag: 3.6
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -11 +11 @@
 
 == Description ==
-Yada Wiki provides a wiki post type, custom tags and categories, an index, and a table of contents option.  The plugin allows you to link your wiki pages together using the wiki page titles.  
+Yada Wiki provides a wiki post type, custom tags and categories, an index, and a table of contents option.  The plugin allows you to link your wiki pages together using the wiki page titles. 
+
+Note: As of Yada Wiki 3.6, for current users who have been manually adding HTML tags or special characters to their shortcodes, for security reasons these must be filtered on save. An exception was added for the EM tag because I saw support tickets where users said they were using this tag.  If you have been manually editing the shortcodes then you may want to test before installing version 3.6.  
 
 There are two easy to use shortcode buttons available on the editor toolbar.  Rather than try to remember the shortcodes and their values, it is recommended that you use these buttons to generate the shortcodes for you.
@@ -173 +175 @@
 == Changelog ==
 
+= 3.6 =
+* Sanitized shortcode inputs on save. Allowed em tags. 
+* Tested for WordPress 6.9 compatibility.
+
 = 3.5 = 
 * Fixed shortcode index options which were not working correctly.

yada-wiki/trunk/yada-wiki.php

@@ -4 +4 @@
  * Plugin URI:  https://www.webtng.com/yada-wiki-documentation
  * Description: This plugin provides a simple wiki for your WordPress site.
- * Version:     3.5
+ * Version:     3.6
  * Author:      David McCan
  * Author URI:  https://www.webtng.com
@@ -21 +21 @@
  *
  * @package   YadaWiki
- * @version   3.5
+ * @version   3.6
  * @author    David McCan <[email protected]>
  * @copyright Copyright (c) 2015-2024, David McCan
@@ -208 +208 @@
         add_action( 'plugins_loaded', array( $this, 'i18n' ), 2 );
         add_action( 'init', 'yadawiki_load_settings' );
+        add_shortcode('yadawiki', 'yada_wiki_shortcode');
+        add_shortcode('yadawikitoc', 'yada_wiki_toc_shortcode');
+        add_shortcode('yadawiki-index', 'yada_wiki_index_shortcode');
         
         // public facing
         if ( ! is_admin() ) {
             add_action( 'wp_enqueue_scripts', 'yada_wiki_scripts' );
-            add_shortcode('yadawiki', 'yada_wiki_shortcode');
-            add_shortcode('yadawikitoc', 'yada_wiki_toc_shortcode');
-            add_shortcode('yadawiki-index', 'yada_wiki_index_shortcode');
         }
         
@@ -224 +224 @@
             add_action( 'admin_menu', 'yada_wiki_add_admin_menu' );
             add_action( 'admin_init', 'yada_wiki_settings_init' );
+            add_action('save_post', 'yada_wiki_process_shortcodes_on_save', 10, 3);
             
             // Handle Gutenberg