From 6199f892091be5279eb03fd9455184c3dd3ec03d Mon Sep 17 00:00:00 2001 From: vnmedeiros Date: Wed, 18 May 2022 17:58:18 -0300 Subject: [PATCH 01/17] fix: remove `curl_exec` --- src/classes/class-tainacan-media.php | 53 +++------------------------- 1 file changed, 5 insertions(+), 48 deletions(-) diff --git a/src/classes/class-tainacan-media.php b/src/classes/class-tainacan-media.php index 87412b9e7..0b008e627 100644 --- a/src/classes/class-tainacan-media.php +++ b/src/classes/class-tainacan-media.php @@ -103,54 +103,11 @@ class Media { * @return string the file path */ public function save_remote_file($url) { - set_time_limit(0); - - $filename = tempnam(sys_get_temp_dir(), basename($url)); - - # Open the file for writing... - self::$file_handle = fopen($filename, 'w+'); - self::$file_name = $filename; - - $callback = function ($ch, $str) { - $len = fwrite(self::$file_handle, $str); - return $len; - }; - - $ch = curl_init(); - curl_setopt($ch, CURLOPT_URL, $url); - curl_setopt($ch, CURLOPT_FILE, self::$file_handle); - curl_setopt($ch, CURLOPT_HEADER, 0); - curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); - curl_setopt($ch, CURLOPT_BINARYTRANSFER, true); - curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); # optional - curl_setopt($ch, CURLOPT_TIMEOUT, -1); # optional: -1 = unlimited, 3600 = 1 hour - curl_setopt($ch, CURLOPT_VERBOSE, false); # Set to true to see all the innards - - # Only if you need to bypass SSL certificate validation - curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); - curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); - - # Assign a callback function to the CURL Write-Function - curl_setopt($ch, CURLOPT_WRITEFUNCTION, $callback); - - # Execute the download - note we DO NOT put the result into a variable! - curl_exec($ch); - if (curl_errno($ch)) { - $error_msg = curl_error($ch); - # Close CURL - curl_close($ch); - # Close the file pointer - fclose(self::$file_handle); - throw new \Exception( "[save_remote_file]:" . $error_msg); - } - - # Close CURL - curl_close($ch); - - # Close the file pointer - fclose(self::$file_handle); - - return $filename; + $filename = download_url($url, 900); + if( is_wp_error($filename) ) { + throw new \Exception( "[save_remote_file]:" . implode("\n", $filename->get_error_messages())); + } + return $filename; } From a7de746a6c35834bc1b6d321605bf76a2be9ce33 Mon Sep 17 00:00:00 2001 From: vnmedeiros Date: Wed, 18 May 2022 18:11:02 -0300 Subject: [PATCH 02/17] fix not using `file_get_contents` to get remote files --- .../class-tainacan-rest-items-controller.php | 7 ++++- .../class-tainacan-flickr-importer.php | 18 +++++++++---- .../importer/class-tainacan-test-importer.php | 4 ++- .../class-tainacan-youtube-importer.php | 26 ++++++++++++++----- 4 files changed, 41 insertions(+), 14 deletions(-) diff --git a/src/classes/api/endpoints/class-tainacan-rest-items-controller.php b/src/classes/api/endpoints/class-tainacan-rest-items-controller.php index 2220cb62d..d7232d2f9 100644 --- a/src/classes/api/endpoints/class-tainacan-rest-items-controller.php +++ b/src/classes/api/endpoints/class-tainacan-rest-items-controller.php @@ -1383,7 +1383,12 @@ class REST_Items_Controller extends REST_Controller { ], 400); } $secret_key = get_option("tnc_option_recaptch_secret_key"); - $response = json_decode(file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=$secret_key&response=".$captcha_data."&remoteip=".$_SERVER['REMOTE_ADDR'])); + $api_url = "https://www.google.com/recaptcha/api/siteverify?secret=$secret_key&response=".$captcha_data."&remoteip=".$_SERVER['REMOTE_ADDR']; + + $response = wp_remote_get( $api_url ); + $body = wp_remote_retrieve_body( $response ); + $response = json_decode($body); + if ($response->success) { return true; } else { diff --git a/src/classes/importer/class-tainacan-flickr-importer.php b/src/classes/importer/class-tainacan-flickr-importer.php index 9865c2891..920c212ff 100644 --- a/src/classes/importer/class-tainacan-flickr-importer.php +++ b/src/classes/importer/class-tainacan-flickr-importer.php @@ -188,7 +188,9 @@ class Flickr_Importer extends Importer { $this->add_log('url ' . $api_url); - $json = json_decode(file_get_contents($api_url)); + $response = wp_remote_get( $api_url ); + $body = wp_remote_retrieve_body( $response ); + $json = json_decode($body); if( $json && isset($json->photoset) ){ return $json; } @@ -203,7 +205,10 @@ class Flickr_Importer extends Importer { $this->add_log('url ' . $api_url); - $json = json_decode(file_get_contents($api_url)); + $response = wp_remote_get( $api_url ); + $body = wp_remote_retrieve_body( $response ); + $json = json_decode($body); + if( $json && isset($json->photos) ){ return $json; @@ -218,7 +223,9 @@ class Flickr_Importer extends Importer { $this->add_log('url ' . $api_url); - $json = json_decode(file_get_contents($api_url)); + $response = wp_remote_get( $api_url ); + $body = wp_remote_retrieve_body( $response ); + $json = json_decode($body); if( $json && isset($json->photo) ){ return $json; @@ -428,8 +435,9 @@ class Flickr_Importer extends Importer { . $id . $this->format; $this->add_log('url ' . $api_url); - - $json = json_decode(file_get_contents($api_url)); + $response = wp_remote_get( $api_url ); + $body = wp_remote_retrieve_body( $response ); + $json = json_decode($body); if( $json && isset($json->photo) ){ return $json; diff --git a/src/classes/importer/class-tainacan-test-importer.php b/src/classes/importer/class-tainacan-test-importer.php index 8494244c1..08ef31fc3 100644 --- a/src/classes/importer/class-tainacan-test-importer.php +++ b/src/classes/importer/class-tainacan-test-importer.php @@ -649,8 +649,10 @@ class Test_Importer extends Importer { $keyword = ( $this->get_option('keyword_images') ) ? $this->get_option('keyword_images') : ''; $url = "https://loremflickr.com/$horizontal_size/$vertical_size/$keyword"; + $response = wp_remote_get( $url ); + $content = wp_remote_retrieve_body( $response ); - $id = $TainacanMedia->insert_attachment_from_blob(file_get_contents($url), time() . '.jpg', $inserted_item->get_id()); + $id = $TainacanMedia->insert_attachment_from_blob($content, time() . '.jpg', $inserted_item->get_id()); if(!$id){ $this->add_error_log('Error in imported URL ' . $url); diff --git a/src/classes/importer/class-tainacan-youtube-importer.php b/src/classes/importer/class-tainacan-youtube-importer.php index f058f5d49..9c598276e 100644 --- a/src/classes/importer/class-tainacan-youtube-importer.php +++ b/src/classes/importer/class-tainacan-youtube-importer.php @@ -231,7 +231,9 @@ class Youtube_Importer extends Importer { $api_url = 'https://www.googleapis.com/youtube/v3/channels?part=statistics,snippet,contentDetails&id=' . $id . '&key=' . $api_key; - $json = json_decode(file_get_contents($api_url)); + $response = wp_remote_get( $api_url ); + $body = wp_remote_retrieve_body( $response ); + $json = json_decode($body); if( $json && isset($json->items) ){ $item = $json->items[0]; @@ -239,7 +241,9 @@ class Youtube_Importer extends Importer { . $pageToken . '&maxResults=1&playlistId=' . $item->contentDetails->relatedPlaylists->uploads . '&key=' . $api_key; - $json = json_decode(file_get_contents($api_url)); + $response = wp_remote_get( $api_url ); + $body = wp_remote_retrieve_body( $response ); + $json = json_decode($body); if( $json && isset($json->items) ){ return $json; @@ -251,8 +255,10 @@ class Youtube_Importer extends Importer { case 'user': $api_url = 'https://www.googleapis.com/youtube/v3/channels?part=statistics,snippet,contentDetails&forUsername=' . $id . '&key=' . $api_key; - - $json = json_decode(file_get_contents($api_url)); + + $response = wp_remote_get( $api_url ); + $body = wp_remote_retrieve_body( $response ); + $json = json_decode($body); if( $json && isset($json->items) ){ $item = $json->items[0]; @@ -260,7 +266,9 @@ class Youtube_Importer extends Importer { . $pageToken . '&maxResults=1&playlistId=' . $item->contentDetails->relatedPlaylists->uploads . '&key=' . $api_key; - $json = json_decode(file_get_contents($api_url)); + $response = wp_remote_get( $api_url ); + $body = wp_remote_retrieve_body( $response ); + $json = json_decode($body); if( $json && isset($json->items) ){ return $json; @@ -274,7 +282,9 @@ class Youtube_Importer extends Importer { . $pageToken . '&maxResults=1&playlistId=' . $id . '&key=' . $api_key; - $json = json_decode(file_get_contents($api_url)); + $response = wp_remote_get( $api_url ); + $body = wp_remote_retrieve_body( $response ); + $json = json_decode($body); if( $json && isset($json->items) ){ return $json; @@ -285,7 +295,9 @@ class Youtube_Importer extends Importer { $api_url = 'https://www.googleapis.com/youtube/v3/videos?part=snippet%2CcontentDetails&maxResults=1&id=' . $id . '&key=' . $api_key; - $json = json_decode(file_get_contents($api_url)); + $response = wp_remote_get( $api_url ); + $body = wp_remote_retrieve_body( $response ); + $json = json_decode($body); if( $json && isset($json->items) ){ return $json; From 66fa425cc7ca017a46c6e36c259e17a60186f639 Mon Sep 17 00:00:00 2001 From: vnmedeiros Date: Wed, 18 May 2022 21:40:54 -0300 Subject: [PATCH 03/17] fix: remove require `wp-blog-header.php` --- src/classes/importer/import.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/classes/importer/import.php b/src/classes/importer/import.php index d14e23c0d..0be1f3c3b 100644 --- a/src/classes/importer/import.php +++ b/src/classes/importer/import.php @@ -64,7 +64,7 @@ class ScriptTainacanOld { define( 'WP_USE_THEMES', false ); define( 'SHORTINIT', false ); - require( dirname(__FILE__) . '/../../../../wp-blog-header.php' ); + // require( dirname(__FILE__) . '/../../../../wp-blog-header.php' ); $old_tainacan = new \Tainacan\Importer\Old_Tainacan(); $id = $old_tainacan->get_id(); From bcc4a6b57fdab80076ea7db6eb14b0420bf79791 Mon Sep 17 00:00:00 2001 From: vnmedeiros Date: Wed, 18 May 2022 22:28:27 -0300 Subject: [PATCH 04/17] fix: sanitized and escaped input and output --- src/classes/class-tainacan-media.php | 2 +- src/classes/class-tainacan-private-files.php | 6 +++--- src/classes/exporter/class-tainacan-csv.php | 4 ++-- .../exporter/class-tainacan-term-exporter.php | 4 ++-- .../exposers/class-tainacan-exposers-handler.php | 2 +- src/classes/importer/class-tainacan-csv.php | 8 ++++---- .../importer/class-tainacan-test-importer.php | 12 ++++++------ .../importer/class-tainacan-youtube-importer.php | 2 +- .../class-tainacan-term-importer.php | 4 ++-- src/classes/theme-helper/template-tags.php | 16 ++++++++-------- src/views/class-tainacan-admin.php | 6 +++--- 11 files changed, 33 insertions(+), 33 deletions(-) diff --git a/src/classes/class-tainacan-media.php b/src/classes/class-tainacan-media.php index 0b008e627..e8867d681 100644 --- a/src/classes/class-tainacan-media.php +++ b/src/classes/class-tainacan-media.php @@ -338,7 +338,7 @@ class Media { } - echo $output; + echo wp_kses_post($output); exit(); diff --git a/src/classes/class-tainacan-private-files.php b/src/classes/class-tainacan-private-files.php index 9e489b2b6..160525220 100644 --- a/src/classes/class-tainacan-private-files.php +++ b/src/classes/class-tainacan-private-files.php @@ -117,12 +117,12 @@ class Private_Files { // regular ajax uploads via Admin Panel will send post_id if ( isset($_REQUEST['post_id']) && $_REQUEST['post_id'] ) { - $post_id = $_REQUEST['post_id']; + $post_id = sanitize_text_field($_REQUEST['post_id']); } // API requests to media endpoint will send post if ( false === $post_id && isset($_REQUEST['post']) && is_numeric($_REQUEST['post']) ) { - $post_id = $_REQUEST['post']; + $post_id = sanitize_text_field($_REQUEST['post']); } // tainacan internals, scripts and tests, will set this global @@ -191,7 +191,7 @@ class Private_Files { $upload_dir = wp_get_upload_dir(); $base_upload_url = preg_replace('/^https?:\/\//', '', $upload_dir['baseurl']); - $requested_uri = $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']; + $requested_uri = sanitize_text_field($_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']); if ( strpos($requested_uri, $base_upload_url) === false ) { // Not uploads diff --git a/src/classes/exporter/class-tainacan-csv.php b/src/classes/exporter/class-tainacan-csv.php index a9bab17cf..6b277b7c5 100644 --- a/src/classes/exporter/class-tainacan-csv.php +++ b/src/classes/exporter/class-tainacan-csv.php @@ -312,7 +312,7 @@ class CSV extends Exporter {
- +
@@ -334,7 +334,7 @@ class CSV extends Exporter {
- +
diff --git a/src/classes/exporter/class-tainacan-term-exporter.php b/src/classes/exporter/class-tainacan-term-exporter.php index 7fe612680..552382c8f 100644 --- a/src/classes/exporter/class-tainacan-term-exporter.php +++ b/src/classes/exporter/class-tainacan-term-exporter.php @@ -98,7 +98,7 @@ class Term_Exporter extends Exporter {
- +
@@ -127,7 +127,7 @@ class Term_Exporter extends Exporter { $taxonomies = $Tainacan_Taxonomies->fetch( ['nopaging' => true], 'OBJECT' ); foreach( $taxonomies as $taxonomie) { ?> - + diff --git a/src/classes/exposers/class-tainacan-exposers-handler.php b/src/classes/exposers/class-tainacan-exposers-handler.php index 28bdee911..249412484 100644 --- a/src/classes/exposers/class-tainacan-exposers-handler.php +++ b/src/classes/exposers/class-tainacan-exposers-handler.php @@ -148,7 +148,7 @@ class Exposers_Handler { $type_responde = $exposer->rest_request_after_callbacks($response, $handler, $request); if(self::request_has_url_param($request)) { header(implode('', $response->get_headers())); - echo stripcslashes($response->get_data()); + echo esc_attr(stripcslashes($response->get_data())); exit(); } return $type_responde; diff --git a/src/classes/importer/class-tainacan-csv.php b/src/classes/importer/class-tainacan-csv.php index 9322d8f79..fea113b08 100644 --- a/src/classes/importer/class-tainacan-csv.php +++ b/src/classes/importer/class-tainacan-csv.php @@ -334,7 +334,7 @@ class CSV extends Importer {
- +
@@ -357,7 +357,7 @@ class CSV extends Importer {
- +
@@ -410,7 +410,7 @@ class CSV extends Importer {
- +
@@ -467,7 +467,7 @@ class CSV extends Importer {
- +

: on this link.', 'tainacan')); ?> diff --git a/src/classes/importer/class-tainacan-test-importer.php b/src/classes/importer/class-tainacan-test-importer.php index 08ef31fc3..0e4d6b948 100644 --- a/src/classes/importer/class-tainacan-test-importer.php +++ b/src/classes/importer/class-tainacan-test-importer.php @@ -125,7 +125,7 @@ class Test_Importer extends Importer {

- +
@@ -149,7 +149,7 @@ class Test_Importer extends Importer {
- +
@@ -204,7 +204,7 @@ class Test_Importer extends Importer {
- +
@@ -266,7 +266,7 @@ class Test_Importer extends Importer {
- +
@@ -290,7 +290,7 @@ class Test_Importer extends Importer {
- +
@@ -312,7 +312,7 @@ class Test_Importer extends Importer {
- +
diff --git a/src/classes/importer/class-tainacan-youtube-importer.php b/src/classes/importer/class-tainacan-youtube-importer.php index 9c598276e..7ce7751b7 100644 --- a/src/classes/importer/class-tainacan-youtube-importer.php +++ b/src/classes/importer/class-tainacan-youtube-importer.php @@ -411,7 +411,7 @@ class Youtube_Importer extends Importer {

- +
diff --git a/src/classes/importer/term-importer/class-tainacan-term-importer.php b/src/classes/importer/term-importer/class-tainacan-term-importer.php index 2309200b5..a97d2c4cb 100644 --- a/src/classes/importer/term-importer/class-tainacan-term-importer.php +++ b/src/classes/importer/term-importer/class-tainacan-term-importer.php @@ -60,7 +60,7 @@ class Term_Importer extends Importer {
- +
@@ -101,7 +101,7 @@ class Term_Importer extends Importer { - + diff --git a/src/classes/theme-helper/template-tags.php b/src/classes/theme-helper/template-tags.php index 1308d9995..85ec5071e 100644 --- a/src/classes/theme-helper/template-tags.php +++ b/src/classes/theme-helper/template-tags.php @@ -472,37 +472,37 @@ function tainacan_get_the_media_component_slide( $args = array() ) {
- + <?php echo ( !empty($args['media_title']) ? $args['media_title'] : __('File', 'tainacan') ) ?> - + -
+
- +
- +
- +
- + @@ -869,7 +869,7 @@ function tainacan_the_item_edit_link( $text = null, $before = '', $after = '', $ $text = __( 'Edit this item', 'tainacan' ); } - $link = '' . $text . ''; + $link = '' . $text . ''; echo $before . $link . $after; } diff --git a/src/views/class-tainacan-admin.php b/src/views/class-tainacan-admin.php index 86971ea38..5867a599f 100644 --- a/src/views/class-tainacan-admin.php +++ b/src/views/class-tainacan-admin.php @@ -402,9 +402,9 @@ class Admin { function ajax_sample_permalink(){ - $id = $_POST['post_id']; - $title = $_POST['new_title']; - $name = $_POST['new_slug']; + $id = sanitize_text_field($_POST['post_id']); + $title = sanitize_text_field($_POST['new_title']); + $name = sanitize_text_field($_POST['new_slug']); $post = get_post( $id ); if ( ! $post ) From e8bb161a643241ea692335197649ee92a296c364 Mon Sep 17 00:00:00 2001 From: vnmedeiros Date: Wed, 18 May 2022 23:16:05 -0300 Subject: [PATCH 05/17] fix: add allowed html in `media_component_slide` --- src/classes/theme-helper/template-tags.php | 24 ++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/src/classes/theme-helper/template-tags.php b/src/classes/theme-helper/template-tags.php index 85ec5071e..1b601c2e3 100644 --- a/src/classes/theme-helper/template-tags.php +++ b/src/classes/theme-helper/template-tags.php @@ -464,6 +464,14 @@ function tainacan_get_the_media_component_slide( $args = array() ) { 'media_type' => '' ), $args); + $allowed_html = wp_kses_allowed_html('post'); + $allowed_html['iframe'] = array( + 'src' => true, + 'height' => true, + 'width' => true, + 'frameborder' => true, + 'allowfullscreen' => true, + ); ob_start(); ?> @@ -472,37 +480,37 @@ function tainacan_get_the_media_component_slide( $args = array() ) {
- + <?php echo ( !empty($args['media_title']) ? $args['media_title'] : __('File', 'tainacan') ) ?> - + -
+
- +
- +
- +
- + @@ -869,7 +877,7 @@ function tainacan_the_item_edit_link( $text = null, $before = '', $after = '', $ $text = __( 'Edit this item', 'tainacan' ); } - $link = '' . $text . ''; + $link = '' . $text . ''; echo $before . $link . $after; } From 1266b88960c673b7ef253ae74656f353aaad9bc4 Mon Sep 17 00:00:00 2001 From: vnmedeiros Date: Wed, 18 May 2022 23:25:03 -0300 Subject: [PATCH 06/17] release: update version --- src/readme.txt | 2 +- src/tainacan.php | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/readme.txt b/src/readme.txt index ab71742b6..36a9624b3 100644 --- a/src/readme.txt +++ b/src/readme.txt @@ -4,7 +4,7 @@ Tags: museums, libraries, archives, GLAM, collections, repository Requires at least: 5.0 Tested up to: 5.9 Requires PHP: 5.6 -Stable tag: 0.18.8 +Stable tag: 0.18.9 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-3.0.html diff --git a/src/tainacan.php b/src/tainacan.php index 919fee6aa..92be73570 100644 --- a/src/tainacan.php +++ b/src/tainacan.php @@ -4,17 +4,17 @@ Plugin Name: Tainacan Plugin URI: https://tainacan.org/ Description: Open source, powerful and flexible repository platform for WordPress. Manage and publish you digital collections as easily as publishing a post to your blog, while having all the tools of a professional repository platform. Author: Tainacan.org -Version: 0.18.8 +Version: 0.18.9 Requires at least: 5.0 Tested up to: 5.9 Requires PHP: 5.6 -Stable tag: 0.18.8 +Stable tag: 0.18.9 Text Domain: tainacan License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-3.0.html */ -const TAINACAN_VERSION = '0.18.8'; +const TAINACAN_VERSION = '0.18.9'; defined( 'ABSPATH' ) or die( 'No script kiddies please!' ); $TAINACAN_BASE_URL = plugins_url('', __FILE__); From 31b1670497866a16dcb19a689a502c51d0c4796d Mon Sep 17 00:00:00 2001 From: vnmedeiros Date: Fri, 20 May 2022 15:23:39 -0300 Subject: [PATCH 07/17] fix: echos --- .../theme-helper/class-tainacan-theme-helper.php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/classes/theme-helper/class-tainacan-theme-helper.php b/src/classes/theme-helper/class-tainacan-theme-helper.php index 2867d94c6..03d43728f 100644 --- a/src/classes/theme-helper/class-tainacan-theme-helper.php +++ b/src/classes/theme-helper/class-tainacan-theme-helper.php @@ -680,7 +680,7 @@ class Theme_Helper { $logo = get_template_directory_uri() . '/assets/images/social-logo.png'; $excerpt = get_bloginfo( 'description' ); - $url_src = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"; + $url_src = esc_url((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"); global $wp; if ( is_post_type_archive() ) { @@ -749,13 +749,13 @@ class Theme_Helper { ?> - - - - - - - + + + + + + + Date: Fri, 20 May 2022 16:07:22 -0300 Subject: [PATCH 08/17] Espaces several 'echos' in the template tags file. --- src/classes/theme-helper/template-tags.php | 64 +++++++++++----------- 1 file changed, 33 insertions(+), 31 deletions(-) diff --git a/src/classes/theme-helper/template-tags.php b/src/classes/theme-helper/template-tags.php index 1b601c2e3..d3a4a5e2c 100644 --- a/src/classes/theme-helper/template-tags.php +++ b/src/classes/theme-helper/template-tags.php @@ -347,75 +347,75 @@ function tainacan_get_the_media_component( tainacan_plugin = {}; } tainacan_plugin.tainacan_media_components = (typeof tainacan_plugin.tainacan_media_components != "undefined") ? tainacan_plugin.tainacan_media_components : {}; - tainacan_plugin.tainacan_media_components[''] = ; + tainacan_plugin.tainacan_media_components[''] = ; -
+
- -
+ +
- -
    + +
      -
    • - +
    • +
    - + -
    +
    -
    -
    +
    +
- + - -
+ +
- -
    + +
      -
    • - +
    • +
    - + -
    +
    -
    -
    +
    +
- +
@@ -475,14 +475,14 @@ function tainacan_get_the_media_component_slide( $args = array() ) { ob_start(); ?> - + -
+
- <?php echo ( !empty($args['media_title']) ? $args['media_title'] : __('File', 'tainacan') ) ?> + <?php echo ( !empty($args['media_title']) ? esc_attr($args['media_title']) : __('File', 'tainacan') ) ?> @@ -510,14 +510,16 @@ function tainacan_get_the_media_component_slide( $args = array() ) { - + - +
- + ' . $text . ''; - echo $before . $link . $after; + echo esc_html($before . $link . $after); } /** From 53ec6cdccff15429b8893408c3447cbf43187b62 Mon Sep 17 00:00:00 2001 From: mateuswetah Date: Fri, 20 May 2022 17:43:18 -0300 Subject: [PATCH 09/17] MORE escapes before echoes. --- src/classes/entities/class-tainacan-item.php | 10 ++-- .../class-tainacan-term-importer.php | 2 +- .../class-tainacan-theme-helper.php | 6 +-- src/classes/theme-helper/template-tags.php | 52 +++++++++---------- .../compound/class-tainacan-compound.php | 4 +- .../class-tainacan-relationship.php | 6 +-- 6 files changed, 40 insertions(+), 40 deletions(-) diff --git a/src/classes/entities/class-tainacan-item.php b/src/classes/entities/class-tainacan-item.php index 4a035b84e..e2811e78e 100644 --- a/src/classes/entities/class-tainacan-item.php +++ b/src/classes/entities/class-tainacan-item.php @@ -633,7 +633,7 @@ class Item extends Entity { } - return $return; + return wp_kses_post($return); } @@ -702,7 +702,7 @@ class Item extends Entity { } } - return $return; + return wp_kses_post($return); } @@ -772,7 +772,7 @@ class Item extends Entity { } - return apply_filters("tainacan-item-get-document-as-html", $output, $img_size, $this); + return apply_filters("tainacan-item-get-document-as-html", wp_kses_post($output), $img_size, $this); } @@ -807,7 +807,7 @@ class Item extends Entity { } } - return $output; + return wp_kses_post($output); } @@ -841,7 +841,7 @@ class Item extends Entity { } } - return $link; + return esc_url($link); } /** diff --git a/src/classes/importer/term-importer/class-tainacan-term-importer.php b/src/classes/importer/term-importer/class-tainacan-term-importer.php index a97d2c4cb..6e5481bb9 100644 --- a/src/classes/importer/term-importer/class-tainacan-term-importer.php +++ b/src/classes/importer/term-importer/class-tainacan-term-importer.php @@ -93,7 +93,7 @@ class Term_Importer extends Importer { $taxonomies = $Tainacan_Taxonomies->fetch( ['nopaging' => true], 'OBJECT' ); foreach( $taxonomies as $taxonomie) { ?> - + diff --git a/src/classes/theme-helper/class-tainacan-theme-helper.php b/src/classes/theme-helper/class-tainacan-theme-helper.php index 03d43728f..b628e333a 100644 --- a/src/classes/theme-helper/class-tainacan-theme-helper.php +++ b/src/classes/theme-helper/class-tainacan-theme-helper.php @@ -489,7 +489,7 @@ class Theme_Helper { } } - return "
"; + return wp_kses_post("
"); } function get_items_list_slug() { @@ -902,7 +902,7 @@ class Theme_Helper { $props .= (str_replace('_', '-', $key) . "='" . $value . "' "); } - return ""; + return wp_kses_post( "" ); } /** @@ -1092,7 +1092,7 @@ class Theme_Helper { $output .= '
'; - return $output; + return wp_kses_post( $output ); } /** diff --git a/src/classes/theme-helper/template-tags.php b/src/classes/theme-helper/template-tags.php index d3a4a5e2c..7956af9be 100644 --- a/src/classes/theme-helper/template-tags.php +++ b/src/classes/theme-helper/template-tags.php @@ -126,7 +126,7 @@ function tainacan_the_item_document_download_link($item_id = 0) { if (!$link || $item->get_document_type() == 'text' || $item->get_document_type() == 'url') return; - return '' . __('Download', 'tainacan') . ''; + return '' . __('Download', 'tainacan') . ''; } @@ -137,7 +137,7 @@ function tainacan_the_item_attachment_download_link($attachment_id) { $link = wp_get_attachment_url($attachment_id); - return '' . __('Download', 'tainacan') . ''; + return '' . __('Download', 'tainacan') . ''; } function tainacan_the_document() { @@ -212,7 +212,7 @@ function tainacan_get_the_collection_name() { if ( $collection ) { $name = $collection->get_name(); } - return apply_filters('tainacan-get-collection-name', $name, $collection); + return apply_filters('tainacan-get-collection-name', esc_html($name), $collection); } /** @@ -234,7 +234,7 @@ function tainacan_get_adjacent_items() { * @return void */ function tainacan_the_collection_name() { - echo tainacan_get_the_collection_name(); + echo esc_html(tainacan_get_the_collection_name()); } /** @@ -248,7 +248,7 @@ function tainacan_get_the_collection_description() { if ( $collection ) { $description = $collection->get_description(); } - return apply_filters('tainacan-get-collection-description', $description, $collection); + return apply_filters('tainacan-get-collection-description', esc_html($description), $collection); } /** @@ -257,7 +257,7 @@ function tainacan_get_the_collection_description() { * @return void */ function tainacan_the_collection_description() { - echo tainacan_get_the_collection_description(); + echo esc_html(tainacan_get_the_collection_description()); } /** @@ -355,19 +355,19 @@ function tainacan_get_the_media_component( - +
- +
  • - +
- + @@ -380,25 +380,25 @@ function tainacan_get_the_media_component(
- + - +
- +
  • - +
- + @@ -415,7 +415,7 @@ function tainacan_get_the_media_component(
- +
@@ -475,7 +475,7 @@ function tainacan_get_the_media_component_slide( $args = array() ) { ob_start(); ?> - +
@@ -515,11 +515,11 @@ function tainacan_get_the_media_component_slide( $args = array() ) {
- +
- + get_url(); } - return apply_filters('tainacan-get-collection-url', $url, $collection); + return apply_filters('tainacan-get-collection-url', esc_url($url), $collection); } @@ -620,7 +620,7 @@ function tainacan_get_the_collection_url() { * @return void */ function tainacan_the_collection_url() { - echo tainacan_get_the_collection_url(); + echo esc_url(tainacan_get_the_collection_url()); } @@ -744,7 +744,7 @@ function tainacan_get_the_term_name() { if ( $term ) { $name = $term->name; } - return apply_filters('tainacan-get-term-name', $name, $term); + return apply_filters('tainacan-get-term-name', esc_html($name), $term); } /** @@ -753,7 +753,7 @@ function tainacan_get_the_term_name() { * @return void */ function tainacan_the_term_name() { - echo tainacan_get_the_term_name(); + echo esc_html(tainacan_get_the_term_name()); } /** @@ -767,7 +767,7 @@ function tainacan_get_the_term_description() { if ( $term ) { $description = $term->description; } - return apply_filters('tainacan-get-term-description', $description, $term); + return apply_filters('tainacan-get-term-description', esc_html($description), $term); } /** @@ -776,7 +776,7 @@ function tainacan_get_the_term_description() { * @return void */ function tainacan_the_term_description() { - echo tainacan_get_the_term_description(); + echo esc_html(tainacan_get_the_term_description()); } /** @@ -881,7 +881,7 @@ function tainacan_the_item_edit_link( $text = null, $before = '', $after = '', $ $link = '' . $text . ''; - echo esc_html($before . $link . $after); + echo wp_kses_post($before . $link . $after); } /** diff --git a/src/views/admin/components/metadata-types/compound/class-tainacan-compound.php b/src/views/admin/components/metadata-types/compound/class-tainacan-compound.php index 64860514b..d0140a754 100644 --- a/src/views/admin/components/metadata-types/compound/class-tainacan-compound.php +++ b/src/views/admin/components/metadata-types/compound/class-tainacan-compound.php @@ -235,10 +235,10 @@ class Compound extends Metadata_Type { ?>

- get_metadatum()->get_name(); ?> + get_metadatum()->get_name()); ?>

- get_value_as_html(); ?> + get_value_as_html()); ?>

get_item_thumbnail($thumbnail_id, $item) : ''); ?>

- +

- get_metadatum()->get_name(); ?> + get_metadatum()->get_name()); ?>

- get_value_as_html() : $value_link); ?> + get_value_as_html() : $value_link)); ?>

Date: Mon, 23 May 2022 10:05:41 -0300 Subject: [PATCH 10/17] fix adding echo --- src/classes/exporter/class-tainacan-csv.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/classes/exporter/class-tainacan-csv.php b/src/classes/exporter/class-tainacan-csv.php index 6b277b7c5..ca174e622 100644 --- a/src/classes/exporter/class-tainacan-csv.php +++ b/src/classes/exporter/class-tainacan-csv.php @@ -312,7 +312,7 @@ class CSV extends Exporter {
- +
From 7383916f7f46d43bacb2de4ff674e3e5634bbab3 Mon Sep 17 00:00:00 2001 From: vnmedeiros Date: Mon, 23 May 2022 10:06:06 -0300 Subject: [PATCH 11/17] fix: remove env $_COOKIE --- src/classes/libs/wp-async-request.php | 1 - 1 file changed, 1 deletion(-) diff --git a/src/classes/libs/wp-async-request.php b/src/classes/libs/wp-async-request.php index 42f6d9ac0..cafb1eb68 100644 --- a/src/classes/libs/wp-async-request.php +++ b/src/classes/libs/wp-async-request.php @@ -130,7 +130,6 @@ 'timeout' => 0.01, 'blocking' => false, 'body' => $this->data, - 'cookies' => $_COOKIE, 'sslverify' => apply_filters( 'https_local_ssl_verify', false ), ); } From fbfd84c9c0f7e0db0a67a50862e892f29c71d413 Mon Sep 17 00:00:00 2001 From: vnmedeiros Date: Mon, 23 May 2022 17:05:22 -0300 Subject: [PATCH 12/17] fix: set allowed html in return theme helper --- .../class-tainacan-theme-helper.php | 114 +++++++++++++++--- 1 file changed, 97 insertions(+), 17 deletions(-) diff --git a/src/classes/theme-helper/class-tainacan-theme-helper.php b/src/classes/theme-helper/class-tainacan-theme-helper.php index b628e333a..25a6c0ff9 100644 --- a/src/classes/theme-helper/class-tainacan-theme-helper.php +++ b/src/classes/theme-helper/class-tainacan-theme-helper.php @@ -362,8 +362,6 @@ class Theme_Helper { } public function item_submission_shortcode($args) { - global $TAINACAN_BASE_URL; - $props = ' '; // Passes arguments to custom props @@ -377,7 +375,37 @@ class Theme_Helper { wp_enqueue_media(); - return "
"; + // $allowed_html = wp_kses_allowed_html('post'); + $allowed_html = [ + 'div' => [ + 'id' => true, + 'data-module' => true, + 'collection-id' => true, + 'hide-file-modal-button' => true, + 'hide-text-modal-button' => true, + 'hide-link-modal-button' => true, + 'hide-thumbnail-section' => true, + 'hide-attachments-section' => true, + 'show-allow-comments-section' => true, + 'hide-collapses' => true, + 'hide-help-buttons' => true, + 'hide-metadata-types' => true, + 'help-info-bellow-label' => true, + 'document-section-label' => true, + 'thumbnail-section-label' => true, + 'attachments-section-label' => true, + 'metadata-section-label' => true, + 'sent-form-heading' => true, + 'sent-form-message' => true, + 'item-link-button-label' => true, + 'show-item-link-button' => true, + 'show-terms-agreement-checkbox' => true, + 'terms-agreement-message' => true, + 'enabled-metadata' => true, + ] + ]; + + return wp_kses("
", $allowed_html); } /** @@ -489,7 +517,41 @@ class Theme_Helper { } } - return wp_kses_post("
"); + // $allowed_html = wp_kses_allowed_html('post'); + $allowed_html = [ + 'div' => [ + 'id' => true, + 'data-module' => true, + 'collection-id' => true, + 'term-id' => true, + 'taxonomy' => true, + 'default-view-mode' => true, + 'is-forced-view-mode' => true, + 'enabled-view-modes' => true, + 'default-order' => true, + 'default-orderby' => true, + 'hide-filters' => true, + 'hide-hide-filters-button' => true, + 'hide-search' => true, + 'hide-advanced-search' => true, + 'hide-displayed-metadata-button' => true, + 'hide-sorting-area' => true, + 'hide-items-thumbnail' => true, + 'hide-sort-by-button' => true, + 'hide-exposers-button' => true, + 'hide-items-per-page-button' => true, + 'hide-go-to-page-button' => true, + 'hide-pagination-area' => true, + 'default-items-per-page' => true, + 'show-filters-button-inside-search-control' => true, + 'start-with-filters-hidden' => true, + 'filters-as-modal' => true, + 'show-inline-view-mode-options' => true, + 'show-fullscreen-with-view-modes' => true + ] + ]; + + return wp_kses("
", $allowed_html); } function get_items_list_slug() { @@ -895,14 +957,22 @@ class Theme_Helper { unset($args['class_name']); // Builds parameters to the html div rendered by Vue + $allowed_html = [ + 'div' => [ + 'data-module' => true, + "id" => true + ] + ]; foreach ($args as $key => $value) { if (is_bool($value)) $value = $value ? 'true' : 'false'; // Changes from PHP '_' notation to HTML '-' notation - $props .= (str_replace('_', '-', $key) . "='" . $value . "' "); + $key_attr = str_replace('_', '-', $key); + $props .= "$key_attr='$value' "; + $allowed_html['div'][$key_attr] = true; } - return wp_kses_post( "" ); + return wp_kses( "", $allowed_html); } /** @@ -970,15 +1040,24 @@ class Theme_Helper { $args['class'] = $args['class_name'] . ' wp-block-tainacan-dynamic-items-list'; unset($args['class_name']); + // Builds parameters to the html div rendered by Vue + $allowed_html = [ + 'div' => [ + 'data-module' => true, + "id" => true + ] + ]; // Builds parameters to the html div rendered by Vue foreach ($args as $key => $value) { if (is_bool($value)) $value = $value ? 'true' : 'false'; // Changes from PHP '_' notation to HTML '-' notation - $props .= (str_replace('_', '-', $key) . "='" . $value . "' "); + $key_attr = str_replace('_', '-', $key); + $props .= "$key_attr='$value' "; + $allowed_html['div'][$key_attr] = true; } - return "
"; + return wp_kses("
", $allowed_html); } /** @@ -1000,9 +1079,6 @@ class Theme_Helper { * @return string The HTML div to be used for rendering the related items vue component */ public function get_tainacan_related_items_list($args = []) { - global $TAINACAN_BASE_URL; - global $TAINACAN_VERSION; - $defaults = array( 'class_name' => '', 'collection_heading_class_name' => '', @@ -1025,22 +1101,22 @@ class Theme_Helper { return; // Always pass the default class. We force passing the wp-block-tainacan-carousel-related-items because themes might have used it to style before the other layouts exist; - $output = '
'; + $output = '
'; foreach($related_items as $collection_id => $related_group) { if ( isset($related_group['items']) && isset($related_group['total_items']) && $related_group['total_items'] ) { - + $allowed_html = wp_kses_allowed_html( 'data' ); // Adds a heading with the collection name $collection_heading = ''; if ( isset($related_group['collection_name']) ) { - $collection_heading = '<' . $args['collection_heading_tag'] . ' class="' . $args['collection_heading_class_name'] . '">' . $related_group['collection_name'] . ''; + $collection_heading = wp_kses('<' . $args['collection_heading_tag'] . ' class="' . $args['collection_heading_class_name'] . '">' . $related_group['collection_name'] . '', $allowed_html); } // Adds a paragraph with the metadata name $metadata_label = ''; if ( isset($related_group['metadata_name']) ) { - $metadata_label = '<' . $args['metadata_label_tag'] . ' class="' . $args['metadata_label_class_name'] . '">' . $related_group['metadata_name'] . ''; + $metadata_label = wp_kses('<' . $args['metadata_label_tag'] . ' class="' . $args['metadata_label_class_name'] . '">' . $related_group['metadata_name'] . '', $allowed_html); } // Sets the carousel, from the items carousel template tag. @@ -1069,6 +1145,10 @@ class Theme_Helper { $output .= '
' . + /** + * Note to code reviewers: This lines doesn't need to be escaped. + * Functions get_tainacan_items_carousel() and get_tainacan_dynamic_items_list used here escape the return value. + */ $collection_heading . $metadata_label . $items_list_div . @@ -1076,7 +1156,7 @@ class Theme_Helper { $related_group['total_items'] > 1 ? '
- + ' . sprintf( __('View all %s related items', 'tainacan'), $related_group['total_items'] ) . '
@@ -1092,7 +1172,7 @@ class Theme_Helper { $output .= '
'; - return wp_kses_post( $output ); + return $output; } /** From ea7fc0d3038afa541d17028b6169b6bcb3a45f6a Mon Sep 17 00:00:00 2001 From: vnmedeiros Date: Mon, 23 May 2022 17:09:27 -0300 Subject: [PATCH 13/17] update version --- src/readme.txt | 2 +- src/tainacan.php | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/readme.txt b/src/readme.txt index 36a9624b3..df41373a4 100644 --- a/src/readme.txt +++ b/src/readme.txt @@ -4,7 +4,7 @@ Tags: museums, libraries, archives, GLAM, collections, repository Requires at least: 5.0 Tested up to: 5.9 Requires PHP: 5.6 -Stable tag: 0.18.9 +Stable tag: 0.18.10 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-3.0.html diff --git a/src/tainacan.php b/src/tainacan.php index 92be73570..2552c3831 100644 --- a/src/tainacan.php +++ b/src/tainacan.php @@ -4,17 +4,17 @@ Plugin Name: Tainacan Plugin URI: https://tainacan.org/ Description: Open source, powerful and flexible repository platform for WordPress. Manage and publish you digital collections as easily as publishing a post to your blog, while having all the tools of a professional repository platform. Author: Tainacan.org -Version: 0.18.9 +Version: 0.18.10 Requires at least: 5.0 Tested up to: 5.9 Requires PHP: 5.6 -Stable tag: 0.18.9 +Stable tag: 0.18.10 Text Domain: tainacan License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-3.0.html */ -const TAINACAN_VERSION = '0.18.9'; +const TAINACAN_VERSION = '0.18.10'; defined( 'ABSPATH' ) or die( 'No script kiddies please!' ); $TAINACAN_BASE_URL = plugins_url('', __FILE__); From 9b946e5ef8e98cdc00d2c0bfbbc261d5b3579b32 Mon Sep 17 00:00:00 2001 From: vnmedeiros Date: Mon, 23 May 2022 17:55:52 -0300 Subject: [PATCH 14/17] fix: escape strings --- src/classes/theme-helper/class-tainacan-theme-helper.php | 7 +++---- .../relationship/class-tainacan-relationship.php | 8 +++++++- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/src/classes/theme-helper/class-tainacan-theme-helper.php b/src/classes/theme-helper/class-tainacan-theme-helper.php index 25a6c0ff9..dfe1a212a 100644 --- a/src/classes/theme-helper/class-tainacan-theme-helper.php +++ b/src/classes/theme-helper/class-tainacan-theme-helper.php @@ -960,7 +960,7 @@ class Theme_Helper { $allowed_html = [ 'div' => [ 'data-module' => true, - "id" => true + 'id' => true ] ]; foreach ($args as $key => $value) { @@ -1106,17 +1106,16 @@ class Theme_Helper { foreach($related_items as $collection_id => $related_group) { if ( isset($related_group['items']) && isset($related_group['total_items']) && $related_group['total_items'] ) { - $allowed_html = wp_kses_allowed_html( 'data' ); // Adds a heading with the collection name $collection_heading = ''; if ( isset($related_group['collection_name']) ) { - $collection_heading = wp_kses('<' . $args['collection_heading_tag'] . ' class="' . $args['collection_heading_class_name'] . '">' . $related_group['collection_name'] . '', $allowed_html); + $collection_heading = wp_kses_post('<' . $args['collection_heading_tag'] . ' class="' . $args['collection_heading_class_name'] . '">' . $related_group['collection_name'] . ''); } // Adds a paragraph with the metadata name $metadata_label = ''; if ( isset($related_group['metadata_name']) ) { - $metadata_label = wp_kses('<' . $args['metadata_label_tag'] . ' class="' . $args['metadata_label_class_name'] . '">' . $related_group['metadata_name'] . '', $allowed_html); + $metadata_label = wp_kses_post('<' . $args['metadata_label_tag'] . ' class="' . $args['metadata_label_class_name'] . '">' . $related_group['metadata_name'] . ''); } // Sets the carousel, from the items carousel template tag. diff --git a/src/views/admin/components/metadata-types/relationship/class-tainacan-relationship.php b/src/views/admin/components/metadata-types/relationship/class-tainacan-relationship.php index 5f4c6747b..80dccc5e7 100644 --- a/src/views/admin/components/metadata-types/relationship/class-tainacan-relationship.php +++ b/src/views/admin/components/metadata-types/relationship/class-tainacan-relationship.php @@ -309,7 +309,13 @@ class Relationship extends Metadata_Type {
get_item_thumbnail($thumbnail_id, $item) : ''); ?>

- +

Date: Mon, 23 May 2022 18:45:58 -0300 Subject: [PATCH 15/17] fix: add a filter to wp_kses_allowed_html --- src/classes/entities/class-tainacan-item.php | 8 ++--- src/classes/theme-helper/template-tags.php | 32 ++++++++++++-------- src/tainacan.php | 20 +++++++++++- 3 files changed, 42 insertions(+), 18 deletions(-) diff --git a/src/classes/entities/class-tainacan-item.php b/src/classes/entities/class-tainacan-item.php index e2811e78e..5ce5eb694 100644 --- a/src/classes/entities/class-tainacan-item.php +++ b/src/classes/entities/class-tainacan-item.php @@ -771,8 +771,8 @@ class Item extends Entity { } } - - return apply_filters("tainacan-item-get-document-as-html", wp_kses_post($output), $img_size, $this); + $allowed_html = wp_kses_allowed_html('tainacan_post'); + return apply_filters("tainacan-item-get-document-as-html", wp_kses($output, $allowed_html), $img_size, $this); } @@ -806,8 +806,8 @@ class Item extends Entity { $output .= $embed; } } - - return wp_kses_post($output); + $allowed_html = wp_kses_allowed_html('tainacan_post'); + return wp_kses($output, $allowed_html); } diff --git a/src/classes/theme-helper/template-tags.php b/src/classes/theme-helper/template-tags.php index 7956af9be..d096681aa 100644 --- a/src/classes/theme-helper/template-tags.php +++ b/src/classes/theme-helper/template-tags.php @@ -3,6 +3,13 @@ use \Tainacan\Entities; use \Tainacan\Repositories; +function tainacan_get_default_allowed_styles ( $styles ) { + $styles[] = 'display'; + $styles[] = 'position'; + $styles[] = 'visibility'; + return $styles; +} + /** * To be used inside The Loop * @@ -332,7 +339,9 @@ function tainacan_get_the_media_component( $args['media_main_id'] = $media_id . '-main'; $args['media_thumbs_id'] = $media_id . '-thumbs'; $args['media_id'] = $media_id; - + $allowed_html = wp_kses_allowed_html('tainacan_post'); + add_filter( 'safe_style_css', 'tainacan_get_default_allowed_styles'); + if ( $args['has_media_main'] || $args['has_media_thumbs'] ) : // Modal lightbox layer for rendering photoswipe add_action('wp_footer', 'tainacan_get_the_media_modal_layer'); @@ -363,7 +372,9 @@ function tainacan_get_the_media_component(
  • - +
@@ -394,7 +405,7 @@ function tainacan_get_the_media_component(
  • - +
@@ -420,8 +431,10 @@ function tainacan_get_the_media_component(
- - + '' ), $args); - $allowed_html = wp_kses_allowed_html('post'); - $allowed_html['iframe'] = array( - 'src' => true, - 'height' => true, - 'width' => true, - 'frameborder' => true, - 'allowfullscreen' => true, - ); + $allowed_html = wp_kses_allowed_html('tainacan_post'); ob_start(); ?> diff --git a/src/tainacan.php b/src/tainacan.php index 2552c3831..18d7389a9 100644 --- a/src/tainacan.php +++ b/src/tainacan.php @@ -122,4 +122,22 @@ function tainacan_add_admin_bar_items ( WP_Admin_Bar $admin_bar ) { } } } -add_action( 'admin_bar_menu', 'tainacan_add_admin_bar_items', 500 ); \ No newline at end of file +add_action( 'admin_bar_menu', 'tainacan_add_admin_bar_items', 500 ); + + +add_filter('wp_kses_allowed_html', function($allowedposttags, $context) { + if($context == 'tainacan_post') { + $post_allowed_html = wp_kses_allowed_html('post'); + return array_merge( + $post_allowed_html, + ['iframe' => array( + 'src' => true, + 'height' => true, + 'width' => true, + 'frameborder' => true, + 'allowfullscreen' => true, + )] + ); + } + return $allowedposttags; +}, 10, 2); \ No newline at end of file From 74a2cc595b33e798681cb49dfe9b8948619e9024 Mon Sep 17 00:00:00 2001 From: vnmedeiros Date: Tue, 24 May 2022 10:40:22 -0300 Subject: [PATCH 16/17] add function `wp_kses_tainacan` --- src/classes/class-tainacan-media.php | 2 +- src/classes/entities/class-tainacan-item.php | 11 +++--- .../class-tainacan-theme-helper.php | 2 -- src/classes/theme-helper/template-tags.php | 35 ++++++++++--------- src/tainacan.php | 32 ++++++++++------- 5 files changed, 42 insertions(+), 40 deletions(-) diff --git a/src/classes/class-tainacan-media.php b/src/classes/class-tainacan-media.php index e8867d681..0b008e627 100644 --- a/src/classes/class-tainacan-media.php +++ b/src/classes/class-tainacan-media.php @@ -338,7 +338,7 @@ class Media { } - echo wp_kses_post($output); + echo $output; exit(); diff --git a/src/classes/entities/class-tainacan-item.php b/src/classes/entities/class-tainacan-item.php index 5ce5eb694..48ff44919 100644 --- a/src/classes/entities/class-tainacan-item.php +++ b/src/classes/entities/class-tainacan-item.php @@ -564,7 +564,6 @@ class Item extends Entity { */ public function get_metadata_as_html($args = array()) { - $Tainacan_Item_Metadata = \Tainacan\Repositories\Item_Metadata::get_instance(); $Tainacan_Metadata = \Tainacan\Repositories\Metadata::get_instance(); $return = ''; @@ -633,7 +632,7 @@ class Item extends Entity { } - return wp_kses_post($return); + return wp_kses_tainacan($return); } @@ -702,7 +701,7 @@ class Item extends Entity { } } - return wp_kses_post($return); + return wp_kses_tainacan($return); } @@ -771,9 +770,8 @@ class Item extends Entity { } } - $allowed_html = wp_kses_allowed_html('tainacan_post'); - return apply_filters("tainacan-item-get-document-as-html", wp_kses($output, $allowed_html), $img_size, $this); + return apply_filters("tainacan-item-get-document-as-html", wp_kses_tainacan($output), $img_size, $this); } /** @@ -806,8 +804,7 @@ class Item extends Entity { $output .= $embed; } } - $allowed_html = wp_kses_allowed_html('tainacan_post'); - return wp_kses($output, $allowed_html); + return wp_kses_tainacan($output); } diff --git a/src/classes/theme-helper/class-tainacan-theme-helper.php b/src/classes/theme-helper/class-tainacan-theme-helper.php index dfe1a212a..fe52aa9ea 100644 --- a/src/classes/theme-helper/class-tainacan-theme-helper.php +++ b/src/classes/theme-helper/class-tainacan-theme-helper.php @@ -375,7 +375,6 @@ class Theme_Helper { wp_enqueue_media(); - // $allowed_html = wp_kses_allowed_html('post'); $allowed_html = [ 'div' => [ 'id' => true, @@ -517,7 +516,6 @@ class Theme_Helper { } } - // $allowed_html = wp_kses_allowed_html('post'); $allowed_html = [ 'div' => [ 'id' => true, diff --git a/src/classes/theme-helper/template-tags.php b/src/classes/theme-helper/template-tags.php index d096681aa..dbf250acd 100644 --- a/src/classes/theme-helper/template-tags.php +++ b/src/classes/theme-helper/template-tags.php @@ -3,12 +3,6 @@ use \Tainacan\Entities; use \Tainacan\Repositories; -function tainacan_get_default_allowed_styles ( $styles ) { - $styles[] = 'display'; - $styles[] = 'position'; - $styles[] = 'visibility'; - return $styles; -} /** * To be used inside The Loop @@ -339,7 +333,15 @@ function tainacan_get_the_media_component( $args['media_main_id'] = $media_id . '-main'; $args['media_thumbs_id'] = $media_id . '-thumbs'; $args['media_id'] = $media_id; - $allowed_html = wp_kses_allowed_html('tainacan_post'); + + if (!function_exists('tainacan_get_default_allowed_styles')) { + function tainacan_get_default_allowed_styles ( $styles ) { + $styles[] = 'display'; + $styles[] = 'position'; + $styles[] = 'visibility'; + return $styles; + } + } add_filter( 'safe_style_css', 'tainacan_get_default_allowed_styles'); if ( $args['has_media_main'] || $args['has_media_thumbs'] ) : @@ -373,7 +375,7 @@ function tainacan_get_the_media_component(
    • @@ -405,7 +407,7 @@ function tainacan_get_the_media_component(
    • - +
    @@ -477,7 +479,6 @@ function tainacan_get_the_media_component_slide( $args = array() ) { 'media_type' => '' ), $args); - $allowed_html = wp_kses_allowed_html('tainacan_post'); ob_start(); ?> @@ -486,30 +487,30 @@ function tainacan_get_the_media_component_slide( $args = array() ) {
    - + <?php echo ( !empty($args['media_title']) ? esc_attr($args['media_title']) : __('File', 'tainacan') ) ?> - + -
    +
    - +
    - +
    - +
    @@ -517,7 +518,7 @@ function tainacan_get_the_media_component_slide( $args = array() ) { diff --git a/src/tainacan.php b/src/tainacan.php index 18d7389a9..e7bf1c758 100644 --- a/src/tainacan.php +++ b/src/tainacan.php @@ -124,20 +124,26 @@ function tainacan_add_admin_bar_items ( WP_Admin_Bar $admin_bar ) { } add_action( 'admin_bar_menu', 'tainacan_add_admin_bar_items', 500 ); +function wp_kses_tainacan($content, $context='tainacan_content') { + $allowed_html = wp_kses_allowed_html($context); + return wp_kses($content, $allowed_html); +} add_filter('wp_kses_allowed_html', function($allowedposttags, $context) { - if($context == 'tainacan_post') { - $post_allowed_html = wp_kses_allowed_html('post'); - return array_merge( - $post_allowed_html, - ['iframe' => array( - 'src' => true, - 'height' => true, - 'width' => true, - 'frameborder' => true, - 'allowfullscreen' => true, - )] - ); + switch ( $context ) { + case 'tainacan_content': + $post_allowed_html = wp_kses_allowed_html('post'); + return array_merge( + $post_allowed_html, + ['iframe' => array( + 'src' => true, + 'height' => true, + 'width' => true, + 'frameborder' => true, + 'allowfullscreen' => true, + )] + ); + default: + return $allowedposttags; } - return $allowedposttags; }, 10, 2); \ No newline at end of file From 87c30a5efd7be90b2ebf2eca8fe3be5f4506549f Mon Sep 17 00:00:00 2001 From: vnmedeiros Date: Tue, 24 May 2022 11:13:23 -0300 Subject: [PATCH 17/17] update tested up to --- src/readme.txt | 2 +- src/tainacan.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/readme.txt b/src/readme.txt index df41373a4..199237109 100644 --- a/src/readme.txt +++ b/src/readme.txt @@ -2,7 +2,7 @@ Contributors: andrebenedito, daltonmartins, fabianobn, jacsonp, leogermani, weryques, wetah, eduardohumberto, ravipassos, jessicafpx, marinagiolo, omarceloavila, vnmedeiros, tainacan, r-guimaraes, suelanesilva, ccaio, alanargomes, ateneagarcia123, rodrigo0freire, clarandreozzi Tags: museums, libraries, archives, GLAM, collections, repository Requires at least: 5.0 -Tested up to: 5.9 +Tested up to: 6.0 Requires PHP: 5.6 Stable tag: 0.18.10 License: GPLv2 or later diff --git a/src/tainacan.php b/src/tainacan.php index e7bf1c758..9b7be3a65 100644 --- a/src/tainacan.php +++ b/src/tainacan.php @@ -6,7 +6,7 @@ Description: Open source, powerful and flexible repository platform for WordPres Author: Tainacan.org Version: 0.18.10 Requires at least: 5.0 -Tested up to: 5.9 +Tested up to: 6.0 Requires PHP: 5.6 Stable tag: 0.18.10 Text Domain: tainacan