From fdaad4af4c45d2373203d4231ed5f3f8df8c9274 Mon Sep 17 00:00:00 2001 From: Zaman Date: Fri, 5 Mar 2021 15:52:28 +0600 Subject: [PATCH 01/21] Fixed user role issue for accessing wppb --- classes/Helper.php | 20 ++++++++++++-------- classes/Options.php | 13 +++++++------ core/initial-setup.php | 24 ++++++++++++++++++++---- 3 files changed, 39 insertions(+), 18 deletions(-) diff --git a/classes/Helper.php b/classes/Helper.php index 39dfce3..14d38ff 100644 --- a/classes/Helper.php +++ b/classes/Helper.php @@ -150,7 +150,7 @@ public function wppb_exclude_roles(){ $exclude = array(); $wppb_options = $this->wppb_options(); - if ( ! empty($wppb_options['exclude_role'])){ + if ( empty($wppb_options['exclude_role'])){ $exclude = $wppb_options['exclude_role']; } @@ -162,17 +162,21 @@ public function wppb_exclude_roles(){ * * @since v.1.0.0 */ - public function can_edit_editor(){ - if ( ! is_user_logged_in()){ + public function can_edit_editor() { + if ( ! is_user_logged_in() ) { return false; } - $exclude_roles = $this->wppb_exclude_roles(); $user_meta = get_userdata( get_current_user_id() ); - $bool = true; - if (count($exclude_roles)){ - if( count( array_intersect( $user_meta->roles , $exclude_roles ) ) > 0 ){ - $bool = false; + $wppb_options = $this->wppb_options(); + + $included_users_roles = $wppb_options['include_role']; + + $bool = false; + + if ( ! empty( $included_users_roles ) ) { + if ( count( array_intersect( $user_meta->roles, $included_users_roles ) ) > 0 ) { + $bool = true; } } return $bool; diff --git a/classes/Options.php b/classes/Options.php index a8a645b..597968c 100644 --- a/classes/Options.php +++ b/classes/Options.php @@ -95,18 +95,19 @@ public static function create_admin_page() { ?> - + $single_role ){ ?> - + $included_user_roles = wppb_get_option( 'include_role' ); + + if ( $user_roles ) { + foreach ( $user_roles as $user_slug => $single_role ) { ?> + -

+

diff --git a/core/initial-setup.php b/core/initial-setup.php index eeff8a7..e2c2f42 100644 --- a/core/initial-setup.php +++ b/core/initial-setup.php @@ -28,13 +28,29 @@ public static function initialize_data(){ self::wppb_legacy_data(); // Activating default post type - if ( !get_option('wppb_is_used') ){ - $wppb_options = (array) get_option('wppb_options'); - $wppb_options['supported_post_type'] = array('post', 'page'); + if ( ! get_option( 'wppb_is_used' ) ) { + $wppb_options = ( array ) get_option( 'wppb_options' ); + $wppb_options['supported_post_type'] = array( 'post', 'page' ); + $wppb_options['include_role'] = array( + 'administrator', + 'editor', + 'author', + 'contributor' + ); $wppb_options['css_save_as'] = 'wp_head'; - update_option('wppb_options', $wppb_options); + update_option( 'wppb_options', $wppb_options ); update_option( 'wppb_is_used', WPPB_VERSION ); } + $wppb_options = ( array ) get_option( 'wppb_options' ); + $wppb_options['supported_post_type'] = array( 'post', 'page' ); + $wppb_options['include_role'] = array( + 'administrator', + 'editor', + 'author', + 'contributor' + ); + $wppb_options['css_save_as'] = 'wp_head'; + update_option( 'wppb_options', $wppb_options ); update_option( 'wppb_is_used', WPPB_VERSION ); } From 8ed58aa8b3c6a6b1b425535f62feed8a2ef25b03 Mon Sep 17 00:00:00 2001 From: Zaman Date: Fri, 5 Mar 2021 17:24:33 +0600 Subject: [PATCH 02/21] small formatting fix --- classes/Helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/Helper.php b/classes/Helper.php index 14d38ff..a2e6c73 100644 --- a/classes/Helper.php +++ b/classes/Helper.php @@ -150,7 +150,7 @@ public function wppb_exclude_roles(){ $exclude = array(); $wppb_options = $this->wppb_options(); - if ( empty($wppb_options['exclude_role'])){ + if ( ! empty( $wppb_options['exclude_role'] ) ) { $exclude = $wppb_options['exclude_role']; } From 52cc24acb0d81529627ca028fd2dca5cda959423 Mon Sep 17 00:00:00 2001 From: Zaman Date: Tue, 16 Mar 2021 10:18:50 +0600 Subject: [PATCH 03/21] security fixes --- addons/accordion/accordion.php | 2 +- addons/alert/alert.php | 6 +++--- addons/form/form.php | 19 +++++++++---------- addons/raw_html/raw_html.php | 2 +- addons/text_block/text_block.php | 2 +- assets/reactjs/package-lock.json | 5 ++--- assets/reactjs/package.json | 2 +- classes/Ajax.php | 3 +-- wp-pagebuilder.php | 2 +- 9 files changed, 20 insertions(+), 23 deletions(-) diff --git a/addons/accordion/accordion.php b/addons/accordion/accordion.php index fd7197a..3cec1e0 100644 --- a/addons/accordion/accordion.php +++ b/addons/accordion/accordion.php @@ -478,7 +478,7 @@ public function render($data = null){ $panelStyle = (($key != 0 || $openitem == "hide") && $openitem != "show") ? "display: none;" : ""; $output .= '
'; - $output .= '
'.$value['content'].'
'; + $output .= '
'.wp_kses_post( $value['content'] ).'
'; $output .= '
';//wppb-panel-collapse $output .= ''; } diff --git a/addons/alert/alert.php b/addons/alert/alert.php index a699984..4f70ba3 100644 --- a/addons/alert/alert.php +++ b/addons/alert/alert.php @@ -149,10 +149,10 @@ public function get_settings() { // Alert Render HTML public function render($data = null){ $settings = $data['settings']; - $alert_title = isset($settings['alert_title']) ? $settings['alert_title'] : ''; - $alert_description = isset($settings['alert_description']) ? $settings['alert_description'] : ''; + $alert_title = isset($settings['alert_title']) ? sanitize_text_field( $settings['alert_title'] ) : ''; + $alert_description = isset($settings['alert_description']) ? sanitize_text_field( $settings['alert_description'] ) : ''; $alert_close = (bool) isset($settings['alert_close']) ? $settings['alert_close'] : false; - $alert_style = isset($settings['alert_style']) ? $settings['alert_style'] : 'info'; + $alert_style = isset($settings['alert_style']) ? sanitize_text_field( $settings['alert_style'] ) : 'info'; $output = ''; $output .= '
'; diff --git a/addons/form/form.php b/addons/form/form.php index d1362dc..f2f51bb 100644 --- a/addons/form/form.php +++ b/addons/form/form.php @@ -882,7 +882,7 @@ public function generateDefaultForm($data = array()){ $settings = $data['settings']; $classlist = ''; $form_type = isset($settings["form_type"]) ? $settings["form_type"] : ''; - $button_text = isset($settings["button_text"]) ? $settings["button_text"] : 'Submit Form'; + $button_text = isset($settings["button_text"]) ? sanitize_text_field( $settings["button_text"] ) : 'Submit Form'; $icon_list = isset($settings["icon_list"]) ? $settings["icon_list"] : ''; $icon_position = isset($settings["icon_position"]) ? $settings["icon_position"] : ''; $textarea_resize = isset($settings["textarea_resize"]) ? $settings["textarea_resize"] : ''; @@ -1046,14 +1046,14 @@ public function wppb_form_process(){ $submitedRowData = array(); if (isset($_POST['wppb_default_form'])){ - $submitedRowData = $_POST['wppb_default_form']; + $submitedRowData = sanitize_text_field( $_POST['wppb_default_form'] ); } //Getting only fields from form $submittedFormData = array(); foreach ($submitedRowData as $key => $rowData){ $field = $formField[$key]; - $field['submitted_data'] = $rowData; + $field['submitted_data'] = sanitize_text_field( $rowData ); $submittedFormData[] = $field; } @@ -1083,9 +1083,9 @@ public function wppb_form_process(){ } - $toEmail = ! empty($formSettings['wppb_default_form_to_email']) ? $formSettings['wppb_default_form_to_email'] : ''; - $fromEmail = ! empty($formSettings['wppb_default_form_from_email']) ? $formSettings['wppb_default_form_from_email'] : ''; - $subject = ! empty($formSettings['wppb_default_form_subject']) ? $formSettings['wppb_default_form_subject'] : ''; + $toEmail = ! empty($formSettings['wppb_default_form_to_email']) ? sanitize_email( $formSettings['wppb_default_form_to_email'] ) : ''; + $fromEmail = ! empty($formSettings['wppb_default_form_from_email']) ? sanitize_email( $formSettings['wppb_default_form_from_email'] ) : ''; + $subject = ! empty($formSettings['wppb_default_form_subject']) ? sanitize_text_field( $formSettings['wppb_default_form_subject'] ) : ''; $date = date(get_option('date_format')); $time = date(get_option('time_format')); @@ -1109,7 +1109,6 @@ public function wppb_form_process(){ //Setting Mail Headers $headers = array('Content-Type: text/html; charset=UTF-8'); - //Send E-Mail Now or through error msg try{ $isMail = wp_mail($toEmail, $subject, $htmlEmail, $headers ); @@ -1194,9 +1193,9 @@ public function getIP(){ // Form public function render($data = null){ $settings = $data['settings']; - $form_type = isset($settings["form_type"]) ? $settings["form_type"] : ''; - $cf7_form = isset($settings["cf7_form"]) ? $settings["cf7_form"] : ''; - $we_form = isset($settings["we_form"]) ? $settings["we_form"] : ''; + $form_type = isset($settings["form_type"]) ? sanitize_text_field( $settings["form_type"] ) : ''; + $cf7_form = isset($settings["cf7_form"]) ? sanitize_text_field( $settings["cf7_form"] ) : ''; + $we_form = isset($settings["we_form"]) ? sanitize_text_field( $settings["we_form"] ) : ''; $textarea_resize = isset($settings["textarea_resize"]) ? $settings["textarea_resize"] : ''; $output = ''; diff --git a/addons/raw_html/raw_html.php b/addons/raw_html/raw_html.php index 5a4ad95..d386252 100644 --- a/addons/raw_html/raw_html.php +++ b/addons/raw_html/raw_html.php @@ -76,7 +76,7 @@ public function get_settings() { // Raw HTML Render HTML public function render($data = null){ $settings = $data['settings']; - $rawhtml = isset($settings['rawhtml']) ? $settings['rawhtml'] : ''; + $rawhtml = isset($settings['rawhtml']) ? wp_kses_post( $settings['rawhtml'] ) : ''; $output = ''; $output .= '
'; if($rawhtml){ diff --git a/addons/text_block/text_block.php b/addons/text_block/text_block.php index 93c866f..c881cbd 100644 --- a/addons/text_block/text_block.php +++ b/addons/text_block/text_block.php @@ -98,7 +98,7 @@ public function get_settings() { // text block Render HTML public function render($data = null){ $settings = $data['settings']; - $text = isset($settings['text']) ? $settings['text'] : ''; + $text = isset($settings['text']) ? sanitize_text_field( $settings['text'] ) : ''; $drop_cap = isset($settings['drop_cap']) ? $settings['drop_cap'] : ''; $output = ''; diff --git a/assets/reactjs/package-lock.json b/assets/reactjs/package-lock.json index 22824cd..d99c74b 100644 --- a/assets/reactjs/package-lock.json +++ b/assets/reactjs/package-lock.json @@ -4702,9 +4702,8 @@ } }, "react-dnd-html5-backend": { - "version": "2.5.1", - "resolved": "https://registry.npmjs.org/react-dnd-html5-backend/-/react-dnd-html5-backend-2.5.1.tgz", - "integrity": "sha1-02VuUUsMRpkCpIX/+nX4aE4hx3c=", + "version": "github:themeum/react-dnd-html5-backend#3a866aac80eec2693005e66faa122d0f32981705", + "from": "github:themeum/react-dnd-html5-backend", "requires": { "lodash": "^4.2.0" } diff --git a/assets/reactjs/package.json b/assets/reactjs/package.json index b46a652..a39164d 100755 --- a/assets/reactjs/package.json +++ b/assets/reactjs/package.json @@ -15,7 +15,7 @@ "deepcopy": "^0.6.3", "react-color": "^2.17.0", "react-dnd": "^2.5.1", - "react-dnd-html5-backend": "^2.5.1", + "react-dnd-html5-backend": "github:themeum/react-dnd-html5-backend", "react-redux": "^5.0.6", "react-select": "^1.2.1", "redux": "^3.7.2", diff --git a/classes/Ajax.php b/classes/Ajax.php index 7567d10..64cafa6 100644 --- a/classes/Ajax.php +++ b/classes/Ajax.php @@ -138,10 +138,9 @@ public function wppb_page_save(){ if ( ! $wp_filesystem ) { require_once( ABSPATH . 'wp-admin/includes/file.php' ); } - $page_id = (int) sanitize_text_field($_POST['page_id']); $page_builder_data = $_POST['page_builder_data']; - $wppb_page_css = stripslashes($_POST['wppb_page_css']); + $wppb_page_css = wp_kses_post( stripslashes( $_POST['wppb_page_css'] ) ); $wppb_page_css = $wppb_page_css . $this->get_content_common_css(); $wppb_page_css = $this->move_import_url_to_top_css($wppb_page_css); diff --git a/wp-pagebuilder.php b/wp-pagebuilder.php index 0e0d030..1da15eb 100644 --- a/wp-pagebuilder.php +++ b/wp-pagebuilder.php @@ -3,7 +3,7 @@ * Plugin Name: WP Page Builder * Plugin URI: https://www.themeum.com/product/wp-pagebuilder/ * Description: WP Page Builder is a FREE drag & drop website building tool for WordPress. This plugin lets you develop a wonderful site in minutes without any coding. - * Version: 1.2.3 + * Version: 1.2.4 * Author: Themeum.com * Author URI: https://themeum.com * Text Domain: wp-pagebuilder From 56b4f2688e5fe9ce65db67a7abb044c6571933a4 Mon Sep 17 00:00:00 2001 From: Zaman Date: Thu, 18 Mar 2021 12:22:17 +0600 Subject: [PATCH 04/21] Version updated to 1.2.4 --- classes/Helper.php | 2 +- readme.txt | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/classes/Helper.php b/classes/Helper.php index a2e6c73..96cf7d6 100644 --- a/classes/Helper.php +++ b/classes/Helper.php @@ -170,7 +170,7 @@ public function can_edit_editor() { $wppb_options = $this->wppb_options(); - $included_users_roles = $wppb_options['include_role']; + $included_users_roles = isset( $wppb_options['include_role'] ) ? $wppb_options['include_role'] : array(); $bool = false; diff --git a/readme.txt b/readme.txt index bcac6c1..34c3b48 100644 --- a/readme.txt +++ b/readme.txt @@ -3,9 +3,9 @@ Contributors: themeum Donate link: https://www.themeum.com Tags: page builder, website builder, live editor, wp page builder, drag and drop editor, responsive, site editor, editor, drag-and-drop, visual editor, landing page, frontend editor, wordpress page builder, free page builder, layout builder Requires at least: 5.0 -Tested up to: 5.4 +Tested up to: 5.7 Requires PHP: 7.0 -Stable tag: 1.2.3 +Stable tag: 1.2.4 License: GPLv3 License URI: https://www.gnu.org/licenses/gpl-3.0.html @@ -237,6 +237,11 @@ If any bug is found, Please let us know by posting on the support section of thi == Changelog == += 1.2.4 - March 17, 2021 = +Update: Changed the User Role select box with proper privileges and defaults +Fix: Filtering of Pagebuilder addon data for Raw HTML before saving to DB +Fix: Sanitization and Escaping of user inputs + = 1.2.3 - April 9, 2020 = Fix: Undefined function get_current_screen issue Fix: Support and documentation broken link issue From 33ce204c7e2afe58430f983784433914115fc313 Mon Sep 17 00:00:00 2001 From: Zaman Date: Mon, 22 Mar 2021 15:35:01 +0600 Subject: [PATCH 05/21] CSS issue fix --- assets/css/wppb-backend.css | 4 +++- assets/js/wppb-backend.js | 6 +----- classes/Ajax.php | 28 +++++++++++++++++++++++++++- classes/Editor_Management.php | 4 ++-- readme.txt | 5 ++++- wp-pagebuilder.php | 4 ++-- 6 files changed, 39 insertions(+), 12 deletions(-) diff --git a/assets/css/wppb-backend.css b/assets/css/wppb-backend.css index df20383..15fc955 100644 --- a/assets/css/wppb-backend.css +++ b/assets/css/wppb-backend.css @@ -108,6 +108,9 @@ body.currently-activated-editor-wppb_builder_activated div#wp-pagebuilder-switch } .edit-with-wppb-builder { transition: 400ms; + display: flex; + align-items: center; + justify-content: center; } .wppb-editor-warper .edit-with-wppb-builder.components-button{ line-height: 33px !important; @@ -128,7 +131,6 @@ body.currently-activated-editor-wppb_builder_activated div#wp-pagebuilder-switch } .wppb-editor-warper .wppb-back-to-gutenberg i.dashicons { - line-height: 35px; margin-right: 3px; } diff --git a/assets/js/wppb-backend.js b/assets/js/wppb-backend.js index fe1216f..4973d82 100644 --- a/assets/js/wppb-backend.js +++ b/assets/js/wppb-backend.js @@ -78,7 +78,7 @@ jQuery(document).ready(function($){ let isBtnExists = this.toolbarSelector.find('#wppb-edit-with-btn-in-gutenberg-toolbar').length; let btnHtmlWrap = $('#wppb-edit-with-btn-in-gutenberg-toolbar'); if (!isBtnExists && btnHtmlWrap.length) { - $('.edit-post-header-toolbar').append(btnHtmlWrap.html()); + $('.edit-post-header__toolbar').append(btnHtmlWrap.html()); } }, addSwitchTemplate: function(){ @@ -111,11 +111,7 @@ jQuery(document).ready(function($){ last_editor : 'gutenberg', }, }); - }); - - - }); diff --git a/classes/Ajax.php b/classes/Ajax.php index 64cafa6..5fee9a3 100644 --- a/classes/Ajax.php +++ b/classes/Ajax.php @@ -129,6 +129,31 @@ public static function get_content_common_css(){ return $css; } + /** + * Validate CSS. + * + * Checks for imbalanced braces, brackets, and comments. + * Notifications are rendered when the customizer state is saved. + * + * @since 4.7.0 + * @since 4.9.0 Checking for balanced characters has been moved client-side via linting in code editor. + * + * @param string $css The input string. + * @return true|WP_Error True if the input was validated, otherwise WP_Error. + */ + public function validate( $css ) { + $validity = new WP_Error(); + + if ( preg_match( '#add( 'illegal_markup', __( 'Markup is not allowed in CSS.' ) ); + } + + if ( ! $validity->has_errors() ) { + $validity = $this->validate( $css ); + } + return $validity; + } + /** * Save Page Builder data wp post meta @@ -140,7 +165,8 @@ public function wppb_page_save(){ } $page_id = (int) sanitize_text_field($_POST['page_id']); $page_builder_data = $_POST['page_builder_data']; - $wppb_page_css = wp_kses_post( stripslashes( $_POST['wppb_page_css'] ) ); + $wppb_page_css = strip_tags( $_POST['wppb_page_css'], '