Changeset 3464204

Timestamp:

02/18/2026 10:29:02 AM (6 weeks ago)

Author:

softaculous

Message:

New version 2.0.8

Location:

pagelayer/trunk

Files:

• css/pagelayer-editor.css (modified) (1 diff)
• init.php (modified) (1 diff)
• main/ajax.php (modified) (7 diffs)
• main/functions.php (modified) (2 diffs)
• pagelayer.php (modified) (1 diff)
• readme.txt (modified) (2 diffs)

pagelayer/trunk/css/pagelayer-editor.css

@@ -2601 +2601 @@
 }
 
+.pagelayer-widget-group h5:only-child,
+.pagelayer-leftbar-group h5:only-child{
+display: none;  
+}
+
 .pagelayer-global-widget-pro{
 text-align: center;

pagelayer/trunk/init.php

@@ -6 +6 @@
 define('PAGELAYER_BASE', plugin_basename(PAGELAYER_FILE));
 define('PAGELAYER_PREMIUM_BASE', 'pagelayer-pro/pagelayer-pro.php');
-define('PAGELAYER_VERSION', '2.0.7');
+define('PAGELAYER_VERSION', '2.0.8');
 define('PAGELAYER_DIR', dirname(PAGELAYER_FILE));
 define('PAGELAYER_SLUG', 'pagelayer');

pagelayer/trunk/main/ajax.php

@@ -228 +228 @@
         
         // Restrict contributors from setting 'publish' or modifying unauthorized fields
-        $can_publish = current_user_can($post_type_obj->cap->publish_posts);
-        if(!$can_publish){
+        $current_user_can_publish = current_user_can($post_type_obj->cap->publish_posts);
+        if(!$current_user_can_publish){
             if(!in_array($post['post_status'], ['draft', 'pending'])){
                 $post['post_status'] = 'pending'; // Force pending status
@@ -337 +337 @@
             
         // Any contact templates ?
-        if(!empty($_REQUEST['contacts'])){
+        if(!empty($_REQUEST['contacts']) && $current_user_can_publish){
             update_post_meta($postID, 'pagelayer_contact_templates', $_REQUEST['contacts']);
         }else{
@@ -1271 +1271 @@
     if(isset($formdata['cfa-custom-template']) && !empty($formdata['cfa-post-id'])){
         $post_id = (int) $formdata['cfa-post-id'];
-        
-        if(!empty($post_id)){
+                
+        if(!empty($post_id) && ( get_post_status( $post_id ) === 'publish' || current_user_can('publish_posts') )){
             $contact_array = get_post_meta($post_id, 'pagelayer_contact_templates', true);
             
@@ -1328 +1328 @@
             }
             
-            if(is_array($i)){
-                $i = pagelayer_flat_join($i);
-            }
-            
-            // Record a reply to if it is to be used
-            if(is_email(trim($i)) && empty($reply_to)){
-                $reply_to = trim($i);
-            }
-            
             $body .= $k."\t : \t $".$k."\n";
             
@@ -1343 +1334 @@
         $body .= "\n\n --\n This e-mail was sent from a contact form (".get_home_url().")";
     
+    }
+        
+    // Add attachment
+    if(!empty($_FILES)){
+        add_action('phpmailer_init', 'pagelayer_cf_email_attachment', 10, 1);
+    }
+    
+    $sanitized_data = array();
+    
+    // If we are using HTML, then we should escape html as well
+    foreach($formdata as $k => $i){
+        
+        if(is_array($i)){
+            $i = pagelayer_flat_join($i);
+        }
+        
+        $i = pagelayer_esc_crlf($i);
+        
+        if(!empty($use_html)){
+            $i = esc_html($i);
+        }
+        
+        // Sanitize text field
+        $i = sanitize_text_field($i);
+        
+        // Record a reply to if it is to be used
+        if(is_email($i) && empty($reply_to)){
+            $reply_to = $i;
+        }
+        
+        $sanitized_data[$k] = $i;   
     }
     
@@ -1350 +1372 @@
     }
     
-    // Add attachment
-    if(!empty($_FILES)){
-        add_action('phpmailer_init', 'pagelayer_cf_email_attachment', 10, 1);
-    }
-    
-    // If we are using HTML, then we should escape html as well
-    if(!empty($use_html)){
-        foreach($formdata as $k => $i){
-            
-            if(is_array($i)){
-                $i = pagelayer_flat_join($i);
-            }
-            
-            $formdata[$k] = esc_html($i);
-        }
-    }
-    
     // Add Site Title as option in formdata
-    $formdata['site_title'] = get_bloginfo( 'name' );
+    $sanitized_data['site_title'] = get_bloginfo( 'name' );
     
     // Do parse a variables
-    $to_mail = pagelayer_replace_vars($to_mail, $formdata, '$');
-    $from_mail = pagelayer_replace_vars($from_mail, $formdata, '$');
-    $subject = pagelayer_replace_vars($subject, $formdata, '$');
-    $headers = pagelayer_replace_vars($headers, $formdata, '$');
-    $body = pagelayer_replace_vars($body, $formdata, '$');
+    $to_mail = pagelayer_replace_vars($to_mail, $sanitized_data, '$');
+    $from_mail = pagelayer_replace_vars($from_mail, $sanitized_data, '$');
+    $subject = pagelayer_replace_vars($subject, $sanitized_data, '$');
+    $headers = pagelayer_replace_vars($headers, $sanitized_data, '$');
+    $body = pagelayer_replace_vars($body, $sanitized_data, '$');
     
     if ( $use_html && ! preg_match( '%<html[>\s].*</html>%is', $body ) ) {
@@ -1388 +1393 @@
     }
     
-    $to_mail = apply_filters('pagelayer_contact_send', $to_mail, $formdata);
+    $to_mail = apply_filters('pagelayer_contact_send', $to_mail, $sanitized_data);
     
     // Send the email

pagelayer/trunk/main/functions.php

@@ -1291 +1291 @@
     
     // These events not start with on
-    $not_allowed = array('click', 'dblclick', 'mousedown', 'mousemove', 'mouseout', 'mouseover', 'mouseup', 'load', 'unload', 'change', 'submit', 'reset', 'select', 'blur', 'focus', 'keydown', 'keypress', 'keyup', 'afterprint', 'beforeprint', 'beforeunload', 'error', 'hashchange', 'message', 'offline', 'online', 'pagehide', 'pageshow', 'popstate', 'resize', 'storage', 'contextmenu', 'input', 'invalid', 'search', 'mousewheel', 'wheel', 'drag', 'dragend', 'dragenter', 'dragleave', 'dragover', 'dragstart', 'drop', 'scroll', 'copy', 'cut', 'paste', 'abort', 'canplay', 'canplaythrough', 'cuechange', 'durationchange', 'emptied', 'ended', 'loadeddata', 'loadedmetadata', 'loadstart', 'pause', 'play', 'playing', 'progress', 'ratechange', 'seeked', 'seeking', 'stalled', 'suspend', 'timeupdate', 'volumechange', 'waiting', 'toggle', 'animationstart', 'animationcancel', 'animationend', 'animationiteration', 'auxclick', 'beforeinput', 'beforematch', 'beforexrselect', 'compositionend', 'compositionstart', 'compositionupdate', 'contentvisibilityautostatechange', 'focusout', 'focusin', 'fullscreenchange', 'fullscreenerror', 'gotpointercapture', 'lostpointercapture', 'mouseenter', 'mouseleave', 'pointercancel', 'pointerdown', 'pointerenter', 'pointerleave', 'pointermove', 'pointerout', 'pointerover', 'pointerrawupdate', 'pointerup', 'scrollend', 'securitypolicyviolation', 'touchcancel', 'touchend', 'touchmove', 'touchstart', 'transitioncancel', 'transitionend', 'transitionrun', 'transitionstart', 'MozMousePixelScroll', 'DOMActivate', 'afterscriptexecute', 'beforescriptexecute', 'DOMMouseScroll', 'willreveal', 'gesturechange', 'gestureend', 'gesturestart', 'mouseforcechanged', 'mouseforcedown', 'mouseforceup', 'mouseforceup');
+    $not_allowed = array('click', 'dblclick', 'mousedown', 'mousemove', 'mouseout', 'mouseover', 'mouseup', 'load', 'unload', 'change', 'submit', 'reset', 'select', 'blur', 'focus', 'keydown', 'keypress', 'keyup', 'afterprint', 'beforeprint', 'beforeunload', 'error', 'hashchange', 'message', 'offline', 'online', 'pagehide', 'pageshow', 'popstate', 'resize', 'storage', 'contextmenu', 'input', 'invalid', 'search', 'mousewheel', 'wheel', 'drag', 'dragend', 'dragenter', 'dragleave', 'dragover', 'dragstart', 'drop', 'scroll', 'copy', 'cut', 'paste', 'abort', 'canplay', 'canplaythrough', 'cuechange', 'durationchange', 'emptied', 'ended', 'loadeddata', 'loadedmetadata', 'loadstart', 'pause', 'play', 'playing', 'progress', 'ratechange', 'seeked', 'seeking', 'stalled', 'suspend', 'timeupdate', 'volumechange', 'waiting', 'toggle', 'animationstart', 'animationcancel', 'animationend', 'animationiteration', 'auxclick', 'beforeinput', 'beforematch', 'beforexrselect', 'compositionend', 'compositionstart', 'compositionupdate', 'contentvisibilityautostatechange', 'focusout', 'focusin', 'fullscreenchange', 'fullscreenerror', 'gotpointercapture', 'lostpointercapture', 'mouseenter', 'mouseleave', 'pointercancel', 'pointerdown', 'pointerenter', 'pointerleave', 'pointermove', 'pointerout', 'pointerover', 'pointerrawupdate', 'pointerup', 'scrollend', 'securitypolicyviolation', 'touchcancel', 'touchend', 'touchmove', 'touchstart', 'transitioncancel', 'transitionend', 'transitionrun', 'transitionstart', 'MozMousePixelScroll', 'DOMActivate', 'afterscriptexecute', 'beforescriptexecute', 'DOMMouseScroll', 'willreveal', 'gesturechange', 'gestureend', 'gesturestart', 'mouseforcechanged', 'mouseforcedown', 'mouseforceup', 'mouseforceup', 'beforetoggle');
     
     $not_allowed = implode('|', $not_allowed);
@@ -3985 +3985 @@
     return false;
 }
+
+function pagelayer_esc_crlf($value){
+
+    // Remove CRLF to prevent header injection
+    $value = str_replace(array("\r", "\n", "%0a", "%0d"), '', $value);
+
+    // Trim spaces
+    $value = trim($value);
+
+    return $value;
+}

pagelayer/trunk/pagelayer.php

@@ -4 +4 @@
 Plugin URI: http://wordpress.org/plugins/pagelayer/
 Description: Pagelayer is a WordPress page builder plugin. Its very easy to use and very light on the browser.
-Version: 2.0.7
+Version: 2.0.8
 Author: Pagelayer Team
 Author URI: https://pagelayer.com/

pagelayer/trunk/readme.txt

@@ -5 +5 @@
 Tested up to: 6.9
 Requires PHP: 5.5
-Stable tag: 2.0.7
+Stable tag: 2.0.8
 License: LGPL v2.1
 License URI: http://www.gnu.org/licenses/lgpl-2.1.html
@@ -132 +132 @@
 == Changelog ==
 
+= 2.0.8 (FEB 16, 2026) =
+* [Bug Fix] Improved XSS security checks.
+* [Bug Fix] Sanitized the contact form "Reply-To" header to prevent CRLF injection.
+* [Bug Fix] Restricted low-level users from adding custom templates in the contact form.
+
 = 2.0.7 (DEC 02, 2025) =
 * [Task] Tested compatibility with WordPress 6.9.