diff --git a/includes/core/class-form.php b/includes/core/class-form.php index 901dd005..3b919ede 100644 --- a/includes/core/class-form.php +++ b/includes/core/class-form.php @@ -671,9 +671,14 @@ if ( ! class_exists( 'um\core\Form' ) ) { $form[ $k ] = esc_url_raw( $form[ $k ] ); } break; + case 'password': + $form[ $k ] = trim( $form[ $k ] ); + if ( array_key_exists( 'confirm_' . $k, $form ) ) { + $form[ 'confirm_' . $k ] = trim( $form[ 'confirm_' . $k ] ); + } + break; case 'text': case 'select': - case 'password': case 'image': case 'file': case 'date': diff --git a/includes/core/class-password.php b/includes/core/class-password.php index 03754389..dbb168d2 100644 --- a/includes/core/class-password.php +++ b/includes/core/class-password.php @@ -533,10 +533,15 @@ if ( ! class_exists( 'um\core\Password' ) ) { } if ( isset( $args['user_password'] ) ) { - $args['user_password'] = sanitize_text_field( $args['user_password'] ); + $args['user_password'] = trim( $args['user_password'] ); } if ( isset( $args['confirm_user_password'] ) ) { - $args['confirm_user_password'] = sanitize_text_field( $args['confirm_user_password'] ); + $args['confirm_user_password'] = trim( $args['confirm_user_password'] ); + } + + // Check for "\" in password. + if ( false !== strpos( wp_unslash( $args['user_password'] ), '\\' ) ) { + UM()->form()->add_error( 'user_password', __( 'Passwords may not contain the character "\\".', 'ultimate-member' ) ); } if ( UM()->options()->get( 'require_strongpass' ) ) { @@ -546,11 +551,11 @@ if ( ! class_exists( 'um\core\Password' ) ) { $max_length = UM()->options()->get( 'password_max_chars' ); $max_length = ! empty( $max_length ) ? $max_length : 30; - if ( mb_strlen( $args['user_password'] ) < $min_length ) { + if ( mb_strlen( wp_unslash( $args['user_password'] ) ) < $min_length ) { UM()->form()->add_error( 'user_password', sprintf( __( 'Your password must contain at least %d characters', 'ultimate-member' ), $min_length ) ); } - if ( mb_strlen( $args['user_password'] ) > $max_length ) { + if ( mb_strlen( wp_unslash( $args['user_password'] ) ) > $max_length ) { UM()->form()->add_error( 'user_password', sprintf( __( 'Your password must contain less than %d characters', 'ultimate-member' ), $max_length ) ); } @@ -619,7 +624,7 @@ if ( ! class_exists( 'um\core\Password' ) ) { do_action( 'validate_password_reset', $errors, $user ); if ( ( ! $errors->get_error_code() ) ) { - reset_password( $user, sanitize_text_field( $args['user_password'] ) ); + reset_password( $user, trim( $args['user_password'] ) ); // send the Password Changed Email UM()->user()->password_changed(); diff --git a/includes/core/um-actions-account.php b/includes/core/um-actions-account.php index 0f5043e9..c4324e74 100644 --- a/includes/core/um-actions-account.php +++ b/includes/core/um-actions-account.php @@ -25,10 +25,10 @@ function um_submit_account_errors_hook( $args ) { case 'delete': { // delete account if ( UM()->account()->current_password_is_required( 'delete' ) ) { - if ( strlen( trim( sanitize_text_field( $args['single_user_password'] ) ) ) === 0 ) { + if ( strlen( trim( $args['single_user_password'] ) ) === 0 ) { UM()->form()->add_error( 'single_user_password', __( 'You must enter your password', 'ultimate-member' ) ); } else { - if ( ! wp_check_password( sanitize_text_field( $args['single_user_password'] ), $current_user->data->user_pass, $current_user->data->ID ) ) { + if ( ! wp_check_password( trim( $args['single_user_password'] ), $current_user->data->user_pass, $current_user->data->ID ) ) { UM()->form()->add_error( 'single_user_password', __( 'This is not your password', 'ultimate-member' ) ); } } @@ -45,11 +45,11 @@ function um_submit_account_errors_hook( $args ) { UM()->account()->current_tab = 'password'; if ( isset( $args['user_password'] ) ) { - $args['user_password'] = sanitize_text_field( $args['user_password'] ); + $args['user_password'] = trim( $args['user_password'] ); } if ( isset( $args['confirm_user_password'] ) ) { - $args['confirm_user_password'] = sanitize_text_field( $args['confirm_user_password'] ); + $args['confirm_user_password'] = trim( $args['confirm_user_password'] ); } if ( empty( $args['user_password'] ) ) { @@ -62,6 +62,12 @@ function um_submit_account_errors_hook( $args ) { return; } + // Check for "\" in password. + if ( false !== strpos( wp_unslash( $args['user_password'] ), '\\' ) ) { + UM()->form()->add_error( 'user_password', __( 'Passwords may not contain the character "\\".', 'ultimate-member' ) ); + return; + } + if ( ! empty( $args['user_password'] ) && ! empty( $args['confirm_user_password'] ) ) { if ( UM()->account()->current_password_is_required( 'password' ) ) { @@ -87,11 +93,11 @@ function um_submit_account_errors_hook( $args ) { $max_length = UM()->options()->get( 'password_max_chars' ); $max_length = ! empty( $max_length ) ? $max_length : 30; - if ( mb_strlen( $args['user_password'] ) < $min_length ) { + if ( mb_strlen( wp_unslash( $args['user_password'] ) ) < $min_length ) { UM()->form()->add_error( 'user_password', sprintf( __( 'Your password must contain at least %d characters', 'ultimate-member' ), $min_length ) ); } - if ( mb_strlen( $args['user_password'] ) > $max_length ) { + if ( mb_strlen( wp_unslash( $args['user_password'] ) ) > $max_length ) { UM()->form()->add_error( 'user_password', sprintf( __( 'Your password must contain less than %d characters', 'ultimate-member' ), $max_length ) ); } @@ -122,7 +128,7 @@ function um_submit_account_errors_hook( $args ) { $args['user_email'] = sanitize_email( $args['user_email'] ); } if ( isset( $args['single_user_password'] ) ) { - $args['single_user_password'] = sanitize_text_field( $args['single_user_password'] ); + $args['single_user_password'] = trim( $args['single_user_password'] ); } if ( isset( $args['first_name'] ) && ( strlen( trim( $args['first_name'] ) ) === 0 && $account_name_require ) ) { @@ -150,7 +156,7 @@ function um_submit_account_errors_hook( $args ) { // check account password if ( UM()->account()->current_password_is_required( 'general' ) ) { - if ( strlen( trim( $args['single_user_password'] ) ) === 0 ) { + if ( strlen( $args['single_user_password'] ) === 0 ) { UM()->form()->add_error( 'single_user_password', __( 'You must enter your password', 'ultimate-member' ) ); } else { if ( ! wp_check_password( $args['single_user_password'], $current_user->data->user_pass, $current_user->data->ID ) ) { @@ -204,7 +210,7 @@ function um_submit_account_details( $args ) { //change password account's tab if ( 'password' === $current_tab && $args['user_password'] && $args['confirm_user_password'] ) { - $changes['user_pass'] = sanitize_text_field( $args['user_password'] ); + $changes['user_pass'] = trim( $args['user_password'] ); $args['user_id'] = $user_id; @@ -218,6 +224,8 @@ function um_submit_account_details( $args ) { wp_set_password( $changes['user_pass'], $user_id ); + do_action( 'um_before_signon_after_account_changes', $args ); + wp_signon( array( 'user_login' => um_user( 'user_login' ), diff --git a/includes/core/um-actions-register.php b/includes/core/um-actions-register.php index 9081cf43..b170a89e 100644 --- a/includes/core/um-actions-register.php +++ b/includes/core/um-actions-register.php @@ -272,6 +272,14 @@ function um_check_user_status( $user_id, $args ) { add_action( 'um_registration_complete', 'um_check_user_status', 100, 2 ); +function um_submit_form_errors_hook__registration( $args ) { + // Check for "\" in password. + if ( false !== strpos( wp_unslash( trim( $args['user_password'] ) ), '\\' ) ) { + UM()->form()->add_error( 'user_password', __( 'Passwords may not contain the character "\\".', 'ultimate-member' ) ); + } +} +add_action( 'um_submit_form_errors_hook__registration', 'um_submit_form_errors_hook__registration', 10, 1 ); + /** * Registration form submit handler *