10h30/ultimatemember
1
0
Fork 0
mirror of https://github.com/10h30/ultimatemember.git synced 2026-06-05 15:09:37 +09:00
Code Issues Packages Projects Releases Wiki Activity

- added sanitizing of the role meta;

Browse Source
This commit is contained in:
Nikita Sinelnikov
2021-06-17 00:57:25 +03:00
parent 9effc4e8de
commit ac4f42aef3
10 changed files with 159 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
assets/js/simplebar.min.js
Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
assets/js/um-conditional.min.js
Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
assets/js/um-crop.min.js
Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
assets/js/um-fileupload.min.js
Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
assets/js/um-functions.min.js
Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
assets/js/um-jquery-form.min.js
Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
assets/js/um-scripts.min.js
Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
includes/admin/templates/role/role-edit.php
+147 -1
View File
@@ -78,6 +78,152 @@ if ( ! empty( $_POST['role'] ) ) {
$data = $_POST['role'];
$all_roles = array_keys( UM()->roles()->get_roles() );
if ( array_key_exists( '_um_priority', $data ) ) {
$data['_um_priority'] = (int) $data['_um_priority'];
}
if ( array_key_exists( '_um_can_access_wpadmin', $data ) ) {
$data['_um_can_access_wpadmin'] = (bool) $data['_um_can_access_wpadmin'];
}
if ( array_key_exists( '_um_can_not_see_adminbar', $data ) ) {
$data['_um_can_not_see_adminbar'] = (bool) $data['_um_can_not_see_adminbar'];
}
if ( array_key_exists( '_um_can_edit_everyone', $data ) ) {
$data['_um_can_edit_everyone'] = (bool) $data['_um_can_edit_everyone'];
}
if ( array_key_exists( '_um_can_edit_roles', $data ) && ! empty( $data['_um_can_edit_roles'] ) ) {
$data['_um_can_edit_roles'] = array_filter( $data['_um_can_edit_roles'], function( $v, $k ) use ( $all_roles ) {
return in_array( $v, $all_roles );
}, ARRAY_FILTER_USE_BOTH );
}
if ( array_key_exists( '_um_can_delete_everyone', $data ) ) {
$data['_um_can_delete_everyone'] = (bool) $data['_um_can_delete_everyone'];
}
if ( array_key_exists( '_um_can_delete_roles', $data ) && ! empty( $data['_um_can_delete_roles'] ) ) {
$data['_um_can_delete_roles'] = array_filter( $data['_um_can_delete_roles'], function( $v, $k ) use ( $all_roles ) {
return in_array( $v, $all_roles );
}, ARRAY_FILTER_USE_BOTH );
}
if ( array_key_exists( '_um_can_edit_profile', $data ) ) {
$data['_um_can_edit_profile'] = (bool) $data['_um_can_edit_profile'];
}
if ( array_key_exists( '_um_can_delete_profile', $data ) ) {
$data['_um_can_delete_profile'] = (bool) $data['_um_can_delete_profile'];
}
if ( array_key_exists( '_um_can_view_all', $data ) ) {
$data['_um_can_view_all'] = (bool) $data['_um_can_view_all'];
}
if ( array_key_exists( '_um_can_view_roles', $data ) && ! empty( $data['_um_can_view_roles'] ) ) {
$data['_um_can_view_roles'] = array_filter( $data['_um_can_view_roles'], function( $v, $k ) use ( $all_roles ) {
return in_array( $v, $all_roles );
}, ARRAY_FILTER_USE_BOTH );
}
if ( array_key_exists( '_um_can_make_private_profile', $data ) ) {
$data['_um_can_make_private_profile'] = (bool) $data['_um_can_make_private_profile'];
}
if ( array_key_exists( '_um_can_access_private_profile', $data ) ) {
$data['_um_can_access_private_profile'] = (bool) $data['_um_can_access_private_profile'];
}
if ( array_key_exists( '_um_profile_noindex', $data ) ) {
$data['_um_profile_noindex'] = $data['_um_profile_noindex'] !== '' ? (bool) $data['_um_profile_noindex'] : $data['_um_profile_noindex'];
}
if ( array_key_exists( '_um_default_homepage', $data ) ) {
$data['_um_default_homepage'] = (bool) $data['_um_default_homepage'];
}
if ( array_key_exists( '_um_redirect_homepage', $data ) ) {
$data['_um_redirect_homepage'] = esc_url_raw( $data['_um_redirect_homepage'] );
}
if ( array_key_exists( '_um_status', $data ) ) {
$data['_um_status'] = ! in_array( sanitize_key( $data['_um_status'] ), [ 'approved', 'checkmail', 'pending' ] ) ? 'approved' : sanitize_key( $data['_um_status'] );
}
if ( array_key_exists( '_um_auto_approve_act', $data ) ) {
$data['_um_auto_approve_act'] = ! in_array( sanitize_key( $data['_um_auto_approve_act'] ), [ 'redirect_profile', 'redirect_url' ] ) ? 'redirect_profile' : sanitize_key( $data['_um_auto_approve_act'] );
}
if ( array_key_exists( '_um_auto_approve_url', $data ) ) {
$data['_um_auto_approve_url'] = esc_url_raw( $data['_um_auto_approve_url'] );
}
if ( array_key_exists( '_um_login_email_activate', $data ) ) {
$data['_um_login_email_activate'] = (bool) $data['_um_login_email_activate'];
}
if ( array_key_exists( '_um_checkmail_action', $data ) ) {
$data['_um_checkmail_action'] = ! in_array( sanitize_key( $data['_um_checkmail_action'] ), [ 'show_message', 'redirect_url' ] ) ? 'show_message' : sanitize_key( $data['_um_checkmail_action'] );
}
if ( array_key_exists( '_um_checkmail_message', $data ) ) {
$data['_um_checkmail_message'] = sanitize_textarea_field( $data['_um_checkmail_message'] );
}
if ( array_key_exists( '_um_checkmail_url', $data ) ) {
$data['_um_checkmail_url'] = esc_url_raw( $data['_um_checkmail_url'] );
}
if ( array_key_exists( '_um_url_email_activate', $data ) ) {
$data['_um_url_email_activate'] = esc_url_raw( $data['_um_url_email_activate'] );
}
if ( array_key_exists( '_um_pending_action', $data ) ) {
$data['_um_pending_action'] = ! in_array( sanitize_key( $data['_um_pending_action'] ), [ 'show_message', 'redirect_url' ] ) ? 'show_message' : sanitize_key( $data['_um_pending_action'] );
}
if ( array_key_exists( '_um_pending_message', $data ) ) {
$data['_um_pending_message'] = sanitize_textarea_field( $data['_um_pending_message'] );
}
if ( array_key_exists( '_um_pending_url', $data ) ) {
$data['_um_pending_url'] = esc_url_raw( $data['_um_pending_url'] );
}
if ( array_key_exists( '_um_after_login', $data ) ) {
$data['_um_after_login'] = ! in_array( sanitize_key( $data['_um_after_login'] ), [ 'redirect_profile', 'redirect_url', 'refresh', 'redirect_admin' ] ) ? 'redirect_profile' : sanitize_key( $data['_um_after_login'] );
}
if ( array_key_exists( '_um_login_redirect_url', $data ) ) {
$data['_um_login_redirect_url'] = esc_url_raw( $data['_um_login_redirect_url'] );
}
if ( array_key_exists( '_um_after_logout', $data ) ) {
$data['_um_after_logout'] = ! in_array( sanitize_key( $data['_um_after_logout'] ), [ 'redirect_home', 'redirect_url' ] ) ? 'redirect_home' : sanitize_key( $data['_um_after_logout'] );
}
if ( array_key_exists( '_um_logout_redirect_url', $data ) ) {
$data['_um_logout_redirect_url'] = esc_url_raw( $data['_um_logout_redirect_url'] );
}
if ( array_key_exists( '_um_after_delete', $data ) ) {
$data['_um_after_delete'] = ! in_array( sanitize_key( $data['_um_after_delete'] ), [ 'redirect_home', 'redirect_url' ] ) ? 'redirect_home' : sanitize_key( $data['_um_after_delete'] );
}
if ( array_key_exists( '_um_delete_redirect_url', $data ) ) {
$data['_um_delete_redirect_url'] = esc_url_raw( $data['_um_delete_redirect_url'] );
}
if ( array_key_exists( 'wp_capabilities', $data ) && ! empty( $data['wp_capabilities'] ) ) {
$data['wp_capabilities'] = array_map( 'boolval', array_filter( $data['wp_capabilities'] ) );
}
$data = apply_filters( 'um_save_role_meta_sanitize', $data );
if ( 'add' == sanitize_key( $_GET['tab'] ) ) {
$data['name'] = trim( esc_html( strip_tags( $data['name'] ) ) );
@@ -208,4 +354,4 @@ $screen_id = $current_screen->id; ?>
</div>
</div>
</form>
</div>
</div>
readme.txt
+3 -2
View File
@@ -7,7 +7,7 @@ Tags: community, member, membership, user-profile, user-registration
Requires PHP: 5.6
Requires at least: 5.0
Tested up to: 5.7
Stable tag: 2.1.20
Stable tag: 2.1.21
License: GNU Version 2 or Any Later Version
License URI: http://www.gnu.org/licenses/gpl-3.0.txt
@@ -155,7 +155,7 @@ The plugin works with popular caching plugins by automatically excluding Ultimat
* To learn more about version 2.1 please see this [docs](https://docs.ultimatemember.com/article/1512-upgrade-2-1-0)
* UM2.1+ is a significant update to the Member Directories' code base from 2.0.x. Please make sure you take a full-site backup with restore point before updating the plugin
= 2.1.21: June xx, 2021 =
= 2.1.21: June 17, 2021 =
* Enhancements:
- Added: `um_scripts.max_upload_size` localized variable getting from `wp_max_upload_size()`
@@ -164,6 +164,7 @@ The plugin works with popular caching plugins by automatically excluding Ultimat
* Bugfixes:
- Fixed: Displaying different profile form shortcodes with different role visibility settings on the same page
- Fixed: Displaying avatar on the logout page
- Fixed: Role meta sanitizing and related XSS vulnerability
* Templates required update:
- logout.php
ultimate-member.php
+2 -2
View File
@@ -3,7 +3,7 @@
Plugin Name: Ultimate Member
Plugin URI: http://ultimatemember.com/
Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress
Version: 2.1.21-alpha1
Version: 2.1.21
Author: Ultimate Member
Author URI: http://ultimatemember.com/
Text Domain: ultimate-member
@@ -21,4 +21,4 @@ define( 'ultimatemember_version', $plugin_data['Version'] );
define( 'ultimatemember_plugin_name', $plugin_data['Name'] );
require_once 'includes/class-functions.php';
require_once 'includes/class-init.php';
require_once 'includes/class-init.php';