diff --git a/includes/admin/core/class-admin-builder.php b/includes/admin/core/class-admin-builder.php index 336c21ca..0cd129ac 100644 --- a/includes/admin/core/class-admin-builder.php +++ b/includes/admin/core/class-admin-builder.php @@ -982,21 +982,21 @@ if ( ! class_exists( 'um\admin\core\Admin_Builder' ) ) {
- field_input ( $opt, null, $metabox->edit_array ); } ?> + field_input ( $opt, $arg2, $metabox->edit_array ); } ?>
- field_input ( $opt, null, $metabox->edit_array ); } ?> + field_input ( $opt, $arg2, $metabox->edit_array ); } ?>
- field_input ( $opt, null, $metabox->edit_array ); } ?> + field_input ( $opt, $arg2, $metabox->edit_array ); } ?>
- field_input ( $opt, null, $metabox->edit_array ); } ?> + field_input ( $opt, $arg2, $metabox->edit_array ); } ?> modal_footer( $arg2, $args, $metabox ); ?> @@ -1190,7 +1190,7 @@ if ( ! class_exists( 'um\admin\core\Admin_Builder' ) ) { */ public function skip_field_validation( $skip, $post_input, $array ) { if ( $post_input === '_options' && isset( $array['post']['_custom_dropdown_options_source'] ) ) { - $skip = function_exists( $array['post']['_custom_dropdown_options_source'] ); + $skip = function_exists( wp_unslash( $array['post']['_custom_dropdown_options_source'] ) ); } return $skip; @@ -1209,7 +1209,11 @@ if ( ! class_exists( 'um\admin\core\Admin_Builder' ) ) { $arr_options = array(); - $um_callback_func = sanitize_key( $_POST['um_option_callback'] ); + // we can not use `sanitize_key()` because it removes backslash needed for namespace and uppercase symbols + $um_callback_func = sanitize_text_field( $_POST['um_option_callback'] ); + // removed added by sanitize slashes for the namespaces + $um_callback_func = wp_unslash( $um_callback_func ); + if ( empty( $um_callback_func ) ) { $arr_options['status'] = 'empty'; $arr_options['function_name'] = $um_callback_func; diff --git a/includes/admin/core/class-admin-metabox.php b/includes/admin/core/class-admin-metabox.php index a52acbb5..b76a84ce 100644 --- a/includes/admin/core/class-admin-metabox.php +++ b/includes/admin/core/class-admin-metabox.php @@ -2391,13 +2391,12 @@ if ( ! class_exists( 'um\admin\core\Admin_Metabox' ) ) { ?>

- +

diff --git a/includes/core/class-builtin.php b/includes/core/class-builtin.php index 62f6c395..c3bc14fe 100644 --- a/includes/core/class-builtin.php +++ b/includes/core/class-builtin.php @@ -67,7 +67,7 @@ if ( ! class_exists( 'um\core\Builtin' ) ) { $fields = $this->all_user_fields; - if ( isset( $fields[$field]['options'] ) || ! empty( $fields[$field]['custom_dropdown_options_source'] ) ) { + if ( isset( $fields[ $field ]['options'] ) || ! empty( $fields[ $field ]['custom_dropdown_options_source'] ) ) { return true; } diff --git a/includes/core/class-fields.php b/includes/core/class-fields.php index 55db4a71..2abe7a70 100644 --- a/includes/core/class-fields.php +++ b/includes/core/class-fields.php @@ -144,18 +144,20 @@ if ( ! class_exists( 'um\core\Fields' ) ) { $fields[ $id ] = $args; - if ( array_key_exists( 'custom_dropdown_options_source', $args ) && function_exists( $args['custom_dropdown_options_source'] ) ) { - $allowed_callbacks = UM()->options()->get( 'allowed_choice_callbacks' ); - if ( ! empty( $allowed_callbacks ) ) { - $allowed_callbacks = array_map( 'rtrim', explode( "\n", $allowed_callbacks ) ); - $allowed_callbacks[] = $args['custom_dropdown_options_source']; - } else { - $allowed_callbacks = array( $args['custom_dropdown_options_source'] ); - } - $allowed_callbacks = array_unique( $allowed_callbacks ); - $allowed_callbacks = implode( "\r\n", $allowed_callbacks ); + if ( array_key_exists( 'custom_dropdown_options_source', $args ) ) { + if ( function_exists( wp_unslash( $args['custom_dropdown_options_source'] ) ) ) { + $allowed_callbacks = UM()->options()->get( 'allowed_choice_callbacks' ); + if ( ! empty( $allowed_callbacks ) ) { + $allowed_callbacks = array_map( 'rtrim', explode( "\n", $allowed_callbacks ) ); + $allowed_callbacks[] = $args['custom_dropdown_options_source']; + } else { + $allowed_callbacks = array( $args['custom_dropdown_options_source'] ); + } + $allowed_callbacks = array_unique( $allowed_callbacks ); + $allowed_callbacks = implode( "\r\n", $allowed_callbacks ); - UM()->options()->update( 'allowed_choice_callbacks', $allowed_callbacks ); + UM()->options()->update( 'allowed_choice_callbacks', $allowed_callbacks ); + } } unset( $fields[ $id ]['in_row'] ); @@ -197,22 +199,26 @@ if ( ! class_exists( 'um\core\Fields' ) ) { $args = array_merge( UM()->builtin()->predefined_fields[ $id ], $args ); } - $fields[ $id ] = $args; + if ( array_key_exists( 'custom_dropdown_options_source', $args ) ) { + if ( function_exists( wp_unslash( $args['custom_dropdown_options_source'] ) ) ) { + $allowed_callbacks = UM()->options()->get( 'allowed_choice_callbacks' ); + if ( ! empty( $allowed_callbacks ) ) { + $allowed_callbacks = array_map( 'rtrim', explode( "\n", $allowed_callbacks ) ); + $allowed_callbacks[] = $args['custom_dropdown_options_source']; + } else { + $allowed_callbacks = array( $args['custom_dropdown_options_source'] ); + } + $allowed_callbacks = array_unique( $allowed_callbacks ); + $allowed_callbacks = implode( "\r\n", $allowed_callbacks ); - if ( array_key_exists( 'custom_dropdown_options_source', $args ) && function_exists( $args['custom_dropdown_options_source'] ) ) { - $allowed_callbacks = UM()->options()->get( 'allowed_choice_callbacks' ); - if ( ! empty( $allowed_callbacks ) ) { - $allowed_callbacks = array_map( 'rtrim', explode( "\n", $allowed_callbacks ) ); - $allowed_callbacks[] = $args['custom_dropdown_options_source']; - } else { - $allowed_callbacks = array( $args['custom_dropdown_options_source'] ); + UM()->options()->update( 'allowed_choice_callbacks', $allowed_callbacks ); + + $args['custom_dropdown_options_source'] = wp_unslash( $args['custom_dropdown_options_source'] ); } - $allowed_callbacks = array_unique( $allowed_callbacks ); - $allowed_callbacks = implode( "\r\n", $allowed_callbacks ); - - UM()->options()->update( 'allowed_choice_callbacks', $allowed_callbacks ); } + $fields[ $id ] = $args; + // for group field only if ( $args['type'] == 'group' ) { $fields[ $id ]['in_group'] = ''; diff --git a/includes/core/class-form.php b/includes/core/class-form.php index 6e47d9c5..901dd005 100644 --- a/includes/core/class-form.php +++ b/includes/core/class-form.php @@ -132,13 +132,14 @@ if ( ! class_exists( 'um\core\Form' ) ) { } $allowed_callbacks = UM()->options()->get( 'allowed_choice_callbacks' ); + if ( empty( $allowed_callbacks ) ) { $arr_options['status'] = 'error'; $arr_options['message'] = __( 'This is not possible for security reasons.', 'ultimate-member' ); wp_send_json( $arr_options ); } - $allowed_callbacks = array_map( 'rtrim', explode( "\n", $allowed_callbacks ) ); + $allowed_callbacks = array_map( 'rtrim', explode( "\n", wp_unslash( $allowed_callbacks ) ) ); if ( ! in_array( $ajax_source_func, $allowed_callbacks, true ) ) { $arr_options['status'] = 'error'; diff --git a/includes/core/class-member-directory.php b/includes/core/class-member-directory.php index be1f24d1..e2c7290d 100644 --- a/includes/core/class-member-directory.php +++ b/includes/core/class-member-directory.php @@ -612,6 +612,8 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) { } } + $attrs['custom_dropdown_options_source'] = wp_unslash( $attrs['custom_dropdown_options_source'] ); + $ajax_source = apply_filters( "um_custom_dropdown_options_source__{$filter}", $attrs['custom_dropdown_options_source'], $attrs ); $custom_dropdown .= ' data-um-ajax-source="' . esc_attr( $ajax_source ) . '" '; diff --git a/includes/core/class-query.php b/includes/core/class-query.php index d2993bdb..d6814f7f 100644 --- a/includes/core/class-query.php +++ b/includes/core/class-query.php @@ -279,7 +279,20 @@ if ( ! class_exists( 'um\core\Query' ) ) { * @param $post_id * @param $new_value */ - function update_attr( $key, $post_id, $new_value ){ + function update_attr( $key, $post_id, $new_value ) { + /** + * Post meta values are passed through the stripslashes() function upon being stored. + * Function wp_slash() is added to compensate for the call to stripslashes(). + * @see https://developer.wordpress.org/reference/functions/update_post_meta/ + */ + if ( is_array( $new_value ) ) { + foreach ( $new_value as $k => $val ) { + if ( is_array( $val ) && array_key_exists( 'custom_dropdown_options_source', $val ) ) { + $new_value[ $k ]['custom_dropdown_options_source'] = wp_slash( $val['custom_dropdown_options_source'] ); + } + } + } + update_post_meta( $post_id, '_um_' . $key, $new_value ); } diff --git a/includes/core/class-validation.php b/includes/core/class-validation.php index 3589e691..f318877b 100644 --- a/includes/core/class-validation.php +++ b/includes/core/class-validation.php @@ -94,7 +94,7 @@ if ( ! class_exists( 'um\core\Validation' ) ) { if ( in_array( $fields[ $key ]['type'], array( 'select','multiselect' ) ) && isset( $fields[ $key ]['custom_dropdown_options_source'] ) && ! empty( $fields[ $key ]['custom_dropdown_options_source'] ) && - function_exists( $fields[ $key ]['custom_dropdown_options_source'] ) ){ + function_exists( $fields[ $key ]['custom_dropdown_options_source'] ) ) { $arr_options = call_user_func( $fields[ $key ]['custom_dropdown_options_source'] ); $fields[ $key ]['options'] = array_keys( $arr_options ); }