From 89babc897cce8bb6855428f8f9dc086ac536c747 Mon Sep 17 00:00:00 2001 From: jamesros Date: Wed, 22 Jan 2025 13:09:06 -0500 Subject: [PATCH] create new escaping function for htags (#636) * create new escaping function for htags * fix PageTitle widget showing CPT titles * update readme.txt --- includes/Widget/HeadingWidget.php | 18 ++++++++++++++++-- includes/Widget/PageTitle.php | 3 +++ includes/Widget/SiteDescription.php | 5 +++-- includes/Widget/SiteTitle.php | 15 ++++++++------- package.json | 2 +- post-and-page-builder.php | 2 +- readme.txt | 5 ++++- 7 files changed, 36 insertions(+), 14 deletions(-) diff --git a/includes/Widget/HeadingWidget.php b/includes/Widget/HeadingWidget.php index 055d6e06..27b9ccaf 100644 --- a/includes/Widget/HeadingWidget.php +++ b/includes/Widget/HeadingWidget.php @@ -78,6 +78,19 @@ public function __construct( $component_slug, $component_title, $class_name, $co $this->text_string = $text; } + public function escape_htags( $htag ) { + $allowed_tags = array( + 'h1' => array(), + 'h2' => array(), + 'h3' => array(), + 'h4' => array(), + 'h5' => array(), + 'h6' => array(), + ); + + return array_key_exists( $htag, $allowed_tags ) ? $htag : 'h1'; + } + /** * Update a widget with a new configuration. * @@ -104,10 +117,11 @@ public function update( $new_instance, $old_instance ) { public function widget( $args, $instance ) { $alignment = ! empty( $instance['bgc_title_alignment'] ) ? $instance['bgc_title_alignment'] : 'center'; $htag = ! empty( $instance['bgc_heading_type'] ) ? $instance['bgc_heading_type'] : 'h1'; + $htag_safe = $this->escape_htags( $htag ); - $styles = 'font-weight: inherit; text-transform: inherit; line-height: inherit; font-family: inherit; font-style: inherit; font-size: inherit; color: inherit; text-align:' . $alignment . ';'; + $styles_escaped = 'font-weight: inherit; text-transform: inherit; line-height: inherit; font-family: inherit; font-style: inherit; font-size: inherit; color: inherit; text-align:' . esc_attr( $alignment ) . ';'; - echo '<' . $htag . ' class="bgc_page_title" style="' . $styles . '">' . $this->text_string . ''; + echo '<' . $htag_safe . ' class="bgc_page_title" style="' . $styles_escaped . '">' . esc_html( $this->text_string ) . ''; } diff --git a/includes/Widget/PageTitle.php b/includes/Widget/PageTitle.php index 3a1f747b..d68619a6 100644 --- a/includes/Widget/PageTitle.php +++ b/includes/Widget/PageTitle.php @@ -57,6 +57,9 @@ public function __construct() { } else { $title = '[ Page Title ]'; } + if ( is_admin() ) { + $title = '[ Page Title ]'; + } parent::__construct( 'boldgrid_component_page_title', diff --git a/includes/Widget/SiteDescription.php b/includes/Widget/SiteDescription.php index a5561df7..da99e3eb 100644 --- a/includes/Widget/SiteDescription.php +++ b/includes/Widget/SiteDescription.php @@ -48,10 +48,11 @@ public function __construct() { public function widget( $args, $instance ) { $alignment = ! empty( $instance['bgc_title_alignment'] ) ? $instance['bgc_title_alignment'] : 'center'; $htag = ! empty( $instance['bgc_heading_type'] ) ? $instance['bgc_heading_type'] : 'h1'; + $htag_safe = $this->escape_htags( $htag ); - $styles = 'font-weight: inherit; text-transform: inherit; line-height: inherit; font-family: inherit; font-style: inherit; font-size: inherit; color: inherit; text-align:' . $alignment . ';'; + $styles_escaped = 'font-weight: inherit; text-transform: inherit; line-height: inherit; font-family: inherit; font-style: inherit; font-size: inherit; color: inherit; text-align:' . esc_attr( $alignment ) . ';'; - echo '<' . $htag . ' class="bgc_site_description" style="' . $styles . '">' . $this->text_string . ''; + echo '<' . $htag_safe . ' class="bgc_site_description" style="' . $styles_escaped . '">' . esc_html( $this->text_string ) . ''; } /** diff --git a/includes/Widget/SiteTitle.php b/includes/Widget/SiteTitle.php index 8c31081b..0339cecc 100644 --- a/includes/Widget/SiteTitle.php +++ b/includes/Widget/SiteTitle.php @@ -172,13 +172,14 @@ public function print_form_styles() { * @param array $instance Widget instance arguments. */ public function widget( $args, $instance ) { - $alignment = ! empty( $instance['bgc_title_alignment'] ) ? $instance['bgc_title_alignment'] : 'center'; - $htag = ! empty( $instance['bgc_heading_type'] ) ? $instance['bgc_heading_type'] : 'h1'; - $link_to_home = isset( $instance['bgc_link_to_home'] ) && '0' === $instance['bgc_link_to_home'] ? false : true; - $styles = 'text-decoration: inherit; font-weight: inherit; text-transform: inherit; line-height: inherit; font-family: inherit; font-style: inherit; font-size: inherit; color: inherit; text-align:' . $alignment . ';'; - $home_link_markup = '' . $this->text_string . ''; - $site_title = $link_to_home ? $home_link_markup : $this->text_string; + $alignment = ! empty( $instance['bgc_title_alignment'] ) ? $instance['bgc_title_alignment'] : 'center'; + $htag = ! empty( $instance['bgc_heading_type'] ) ? $instance['bgc_heading_type'] : 'h1'; + $htag_safe = $this->escape_htags( $htag ); + $link_to_home = isset( $instance['bgc_link_to_home'] ) && '0' === $instance['bgc_link_to_home'] ? false : true; + $styles_escaped = 'text-decoration: inherit; font-weight: inherit; text-transform: inherit; line-height: inherit; font-family: inherit; font-style: inherit; font-size: inherit; color: inherit; text-align:' . esc_attr( $alignment ) . ';'; + $home_link_markup_safe = '' . esc_html( $this->text_string ) . ''; + $site_title_safe = $link_to_home ? $home_link_markup_safe : esc_html( $this->text_string ); - echo '<' . $htag . ' class="bgc_site_title ' . ( $link_to_home ? 'site-title' : '' ) . '" style="' . $styles . '">' . $site_title . ''; + echo '<' . $htag_safe . ' class="bgc_site_title ' . ( $link_to_home ? 'site-title' : '' ) . '" style="' . $styles_escaped . '">' . $site_title_safe . ''; } } \ No newline at end of file diff --git a/package.json b/package.json index fc38fbaa..c09c7de4 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "boldgrid-editor", - "version": "1.27.5", + "version": "1.27.6", "description": "Post and Page Builder is a standalone plugin which adds functionality to the existing TinyMCE Editor.", "main": "assets/js/editor.js", "scripts": { diff --git a/post-and-page-builder.php b/post-and-page-builder.php index 365d3fd5..a2a9ed29 100644 --- a/post-and-page-builder.php +++ b/post-and-page-builder.php @@ -3,7 +3,7 @@ * Plugin Name: Post and Page Builder * Plugin URI: https://www.boldgrid.com/boldgrid-editor/?utm_source=ppb-wp-repo&utm_medium=plugin-uri&utm_campaign=ppb * Description: Customized drag and drop editing for posts and pages. The Post and Page Builder adds functionality to the existing TinyMCE Editor to give you easier control over your content. - * Version: 1.27.5 + * Version: 1.27.6 * Author: BoldGrid * Author URI: https://www.boldgrid.com/?utm_source=ppb-wp-repo&utm_medium=author-uri&utm_campaign=ppb * Text Domain: boldgrid-editor diff --git a/readme.txt b/readme.txt index ef2ea7aa..1e9b9c8b 100644 --- a/readme.txt +++ b/readme.txt @@ -4,7 +4,7 @@ Tags: boldgrid, page builder, drag and drop, tinymce, editor, landing page Requires at least: 4.7 Tested up to: 6.7 Requires PHP: 5.4 -Stable tag: 1.27.5 +Stable tag: 1.27.6 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html @@ -134,6 +134,9 @@ WordPress Editor. == Changelog == += 1.27.6 = +* Security Update: Resolved a security vulnerability reported by PatchStack [#635](https://github.com/BoldGrid/post-and-page-builder/issues/635) + = 1.27.5 = * Bug Fix: Table Borders do not change with palette [#609](https://github.com/BoldGrid/post-and-page-builder/issues/609) * Bug Fix: Fixed height tables break in responsive views. [#632](https://github.com/BoldGrid/post-and-page-builder/issues/632)