diff --git a/includes/core/class-account.php b/includes/core/class-account.php index 889c9704..be3891e0 100644 --- a/includes/core/class-account.php +++ b/includes/core/class-account.php @@ -340,107 +340,100 @@ if ( ! class_exists( 'um\core\Account' ) ) { } } - /** - * Submit Account handler + * Process the submission of account details */ - function account_submit() { + public function account_submit() { + if ( ! um_submitting_account_page() ) { + return; + } - if ( um_submitting_account_page() ) { + $formdata = wp_unslash( $_POST ); - $formdata = wp_unslash( $_POST ); - if ( isset( $_POST['user_password'] ) ) { - $formdata['user_password'] = trim( $_POST['user_password'] ); - } - if ( isset( $_POST['confirm_user_password'] ) ) { - $formdata['confirm_user_password'] = trim( $_POST['confirm_user_password'] ); - } - if ( isset( $_POST['current_user_password'] ) ) { - $formdata['current_user_password'] = trim( $_POST['current_user_password'] ); - } - if ( isset( $_POST['single_user_password'] ) ) { - $formdata['single_user_password'] = trim( $_POST['single_user_password'] ); - } + // Don't un-slash passwords in manner of WordPress native password field. + $fields_map = array( + 'user_password', + 'confirm_user_password', + 'current_user_password', + 'single_user_password', + ); + $formdata = UM()->form()::ignore_formdata_unslash( $formdata, $fields_map ); - UM()->form()->post_form = $formdata; + UM()->form()->post_form = $formdata; + /** + * UM hook + * + * @type action + * @title um_submit_account_errors_hook + * @description Validate process on account submit + * @input_vars + * [{"var":"$submitted","type":"array","desc":"Account Page Submitted data"}] + * @change_log + * ["Since: 2.0"] + * @usage add_action( 'um_submit_account_errors_hook', 'function_name', 10, 1 ); + * @example + * + */ + do_action( 'um_submit_account_errors_hook', UM()->form()->post_form ); + + if ( um_is_core_page( 'account' ) && get_query_var( 'um_tab' ) ) { + $this->current_tab = get_query_var( 'um_tab' ); + } else { + $this->current_tab = UM()->form()->post_form['_um_account_tab']; + } + + $this->current_tab = sanitize_key( $this->current_tab ); + + if ( ! isset( UM()->form()->errors ) ) { /** * UM hook * * @type action - * @title um_submit_account_errors_hook - * @description Validate process on account submit + * @title um_submit_account_details + * @description On success account submit * @input_vars * [{"var":"$submitted","type":"array","desc":"Account Page Submitted data"}] * @change_log * ["Since: 2.0"] - * @usage add_action( 'um_submit_account_errors_hook', 'function_name', 10, 1 ); + * @usage add_action( 'um_submit_account_details', 'function_name', 10, 1 ); * @example * */ - do_action( 'um_submit_account_errors_hook', UM()->form()->post_form ); + do_action( 'um_submit_account_details', UM()->form()->post_form ); - if ( um_is_core_page( 'account' ) && get_query_var( 'um_tab' ) ) { - $this->current_tab = get_query_var( 'um_tab' ); - } else { - $this->current_tab = UM()->form()->post_form['_um_account_tab']; - } + } elseif ( UM()->form()->has_error( 'um_account_security' ) ) { + $url = ''; + if ( um_is_core_page( 'account' ) ) { - $this->current_tab = sanitize_key( $this->current_tab ); + $url = UM()->account()->tab_link( $this->current_tab ); - if ( ! isset( UM()->form()->errors ) ) { - /** - * UM hook - * - * @type action - * @title um_submit_account_details - * @description On success account submit - * @input_vars - * [{"var":"$submitted","type":"array","desc":"Account Page Submitted data"}] - * @change_log - * ["Since: 2.0"] - * @usage add_action( 'um_submit_account_details', 'function_name', 10, 1 ); - * @example - * - */ - do_action( 'um_submit_account_details', UM()->form()->post_form ); + $url = add_query_arg( 'err', 'account', $url ); - } elseif ( UM()->form()->has_error( 'um_account_security' ) ) { - $url = ''; - if ( um_is_core_page( 'account' ) ) { + if ( function_exists( 'icl_get_current_language' ) ) { + if ( icl_get_current_language() != icl_get_default_language() ) { + $url = UM()->permalinks()->get_current_url( true ); + $url = add_query_arg( 'err', 'account', $url ); - $url = UM()->account()->tab_link( $this->current_tab ); - - $url = add_query_arg( 'err', 'account', $url ); - - if ( function_exists( 'icl_get_current_language' ) ) { - if ( icl_get_current_language() != icl_get_default_language() ) { - $url = UM()->permalinks()->get_current_url( true ); - $url = add_query_arg( 'err', 'account', $url ); - - exit( wp_redirect( $url ) ); - } + exit( wp_redirect( $url ) ); } } - - exit( wp_redirect( $url ) ); } + exit( wp_redirect( $url ) ); } - } - /** * Filter account fields * @param array $predefined_fields diff --git a/includes/core/class-form.php b/includes/core/class-form.php index 0cdd0cc8..e7a553db 100644 --- a/includes/core/class-form.php +++ b/includes/core/class-form.php @@ -453,6 +453,11 @@ if ( ! class_exists( 'um\core\Form' ) ) { $arr_restricted_fields = UM()->fields()->get_restricted_fields_for_edit(); } + $password_fields = array( + 'user_password', + 'confirm_user_password', + ); + $field_types_without_metakey = UM()->builtin()->get_fields_without_metakey(); foreach ( $custom_fields as $cf_k => $cf_data ) { if ( ! array_key_exists( 'type', $cf_data ) || in_array( $cf_data['type'], $field_types_without_metakey, true ) ) { @@ -462,6 +467,9 @@ if ( ! class_exists( 'um\core\Form' ) ) { if ( array_key_exists( 'type', $cf_data ) && 'password' === $cf_data['type'] ) { $ignore_keys[] = $cf_k; $ignore_keys[] = 'confirm_' . $cf_k; + + $password_fields[] = $cf_k; + $password_fields[] = 'confirm_' . $cf_k; } if ( 'profile' === $this->form_data['mode'] ) { @@ -557,14 +565,15 @@ if ( ! class_exists( 'um\core\Form' ) ) { do_action( 'um_before_submit_form_post', $this ); $formdata = wp_unslash( $_POST ); + if ( isset( $formdata['form_id'] ) ) { + // Don't un-slash passwords in manner of WordPress native password field. $form_id = absint( $formdata['form_id'] ); - if ( isset( $_POST['user_password-' . $form_id] ) ) { - $formdata['user_password-' . $form_id] = trim( $_POST['user_password-' . $form_id] ); - } - if ( isset( $_POST['confirm_user_password-' . $form_id] ) ) { - $formdata['confirm_user_password-' . $form_id] = trim( $_POST['confirm_user_password-' . $form_id] ); + foreach ( $password_fields as &$password_field ) { + $password_field .= '-' . $form_id; } + unset( $password_field ); + $formdata = UM()->form()::ignore_formdata_unslash( $formdata, $password_fields ); } /* save entire form as global */ @@ -1120,7 +1129,6 @@ if ( ! class_exists( 'um\core\Form' ) ) { return $mode; } - /** * Get custom field roles * @@ -1177,5 +1185,24 @@ if ( ! class_exists( 'um\core\Form' ) ) { return false; } + + /** + * Ignore of `wp_unslash()` for form data + * + * @param array $formdata The form data to process + * @param array $fields_map The fields map array + * + * @return array The updated form data + */ + public static function ignore_formdata_unslash( $formdata, $fields_map ) { + foreach ( $fields_map as $field ) { + if ( ! isset( $_POST[ $field ] ) ) { + continue; + } + $formdata[ $field ] = trim( $_POST[ $field ] ); + } + + return $formdata; + } } } diff --git a/includes/core/class-password.php b/includes/core/class-password.php index 07a3d5ac..5690e046 100644 --- a/includes/core/class-password.php +++ b/includes/core/class-password.php @@ -339,12 +339,13 @@ if ( ! class_exists( 'um\core\Password' ) ) { if ( $this->is_change_request() ) { $formdata = wp_unslash( $_POST ); - if ( isset( $_POST['user_password'] ) ) { - $formdata['user_password'] = trim( $_POST['user_password'] ); - } - if ( isset( $_POST['confirm_user_password'] ) ) { - $formdata['confirm_user_password'] = trim( $_POST['confirm_user_password'] ); - } + + // Don't un-slash passwords in manner of WordPress native password field. + $fields_map = array( + 'user_password', + 'confirm_user_password', + ); + $formdata = UM()->form()::ignore_formdata_unslash( $formdata, $fields_map ); UM()->form()->post_form = $formdata;