- using slashes in the callback function setting of the dropdown fields;

2026-06-05 15:09:37 +09:00 · 2022-06-08 21:24:23 +03:00
parent f46a382532
commit fe88b40939
8 changed files with 60 additions and 35 deletions
@@ -982,21 +982,21 @@ if ( ! class_exists( 'um\admin\core\Admin_Builder' ) ) {

 						<div class="um-admin-half">

-							<?php if ( isset( $col1 ) ) {  foreach( $col1 as $opt ) $metabox->field_input ( $opt, null, $metabox->edit_array ); } ?>
+							<?php if ( isset( $col1 ) ) {  foreach( $col1 as $opt ) $metabox->field_input ( $opt, $arg2, $metabox->edit_array ); } ?>

 						</div>

 						<div class="um-admin-half um-admin-right">

-							<?php if ( isset( $col2 ) ) {  foreach( $col2 as $opt ) $metabox->field_input ( $opt, null, $metabox->edit_array ); } ?>
+							<?php if ( isset( $col2 ) ) {  foreach( $col2 as $opt ) $metabox->field_input ( $opt, $arg2, $metabox->edit_array ); } ?>

 						</div><div class="um-admin-clear"></div>

-						<?php if ( isset( $col3 ) ) { foreach( $col3 as $opt ) $metabox->field_input ( $opt, null, $metabox->edit_array ); } ?>
+						<?php if ( isset( $col3 ) ) { foreach( $col3 as $opt ) $metabox->field_input ( $opt, $arg2, $metabox->edit_array ); } ?>

 						<div class="um-admin-clear"></div>

-						<?php if ( isset( $col_full ) ) {foreach( $col_full as $opt ) $metabox->field_input ( $opt, null, $metabox->edit_array ); } ?>
+						<?php if ( isset( $col_full ) ) {foreach( $col_full as $opt ) $metabox->field_input ( $opt, $arg2, $metabox->edit_array ); } ?>

 						<?php $this->modal_footer( $arg2, $args, $metabox ); ?>

@@ -1190,7 +1190,7 @@ if ( ! class_exists( 'um\admin\core\Admin_Builder' ) ) {
 		 */
 		public function skip_field_validation( $skip, $post_input, $array ) {
 			if ( $post_input === '_options' && isset( $array['post']['_custom_dropdown_options_source'] ) ) {
-				$skip = function_exists( $array['post']['_custom_dropdown_options_source'] );
+				$skip = function_exists( wp_unslash( $array['post']['_custom_dropdown_options_source'] ) );
 			}

 			return $skip;
@@ -1209,7 +1209,11 @@ if ( ! class_exists( 'um\admin\core\Admin_Builder' ) ) {

 			$arr_options = array();

-			$um_callback_func = sanitize_key( $_POST['um_option_callback'] );
+			// we can not use `sanitize_key()` because it removes backslash needed for namespace and uppercase symbols
+			$um_callback_func = sanitize_text_field( $_POST['um_option_callback'] );
+			// removed added by sanitize slashes for the namespaces
+			$um_callback_func = wp_unslash( $um_callback_func );
+
 			if ( empty( $um_callback_func ) ) {
 				$arr_options['status'] = 'empty';
 				$arr_options['function_name'] = $um_callback_func;
@@ -2391,13 +2391,12 @@ if ( ! class_exists( 'um\admin\core\Admin_Metabox' ) ) {
 					?>

 					<p><label for="_custom_dropdown_options_source"><?php _e( 'Choices Callback', 'ultimate-member' ) ?> <?php UM()->tooltip( __( 'Add a callback source to retrieve choices.', 'ultimate-member' ) ); ?></label>
-						<input type="text" name="_custom_dropdown_options_source" id="_custom_dropdown_options_source" value="<?php echo htmlspecialchars($this->edit_mode_value, ENT_QUOTES); ?>" />
+						<input type="text" name="_custom_dropdown_options_source" id="_custom_dropdown_options_source" value="<?php echo esc_attr( $this->edit_mode_value ); ?>" />
 					</p>

 					<?php
 					break;

-
 				case '_parent_dropdown_relationship':
 					?>

@@ -67,7 +67,7 @@ if ( ! class_exists( 'um\core\Builtin' ) ) {

 			$fields = $this->all_user_fields;

-			if ( isset( $fields[$field]['options'] ) || ! empty( $fields[$field]['custom_dropdown_options_source'] ) ) {
+			if ( isset( $fields[ $field ]['options'] ) || ! empty( $fields[ $field ]['custom_dropdown_options_source'] ) ) {
 				return true;
 			}

@@ -144,18 +144,20 @@ if ( ! class_exists( 'um\core\Fields' ) ) {

 			$fields[ $id ] = $args;

-			if ( array_key_exists( 'custom_dropdown_options_source', $args ) && function_exists( $args['custom_dropdown_options_source'] ) ) {
-				$allowed_callbacks = UM()->options()->get( 'allowed_choice_callbacks' );
-				if ( ! empty( $allowed_callbacks ) ) {
-					$allowed_callbacks = array_map( 'rtrim', explode( "\n", $allowed_callbacks ) );
-					$allowed_callbacks[] = $args['custom_dropdown_options_source'];
-				} else {
-					$allowed_callbacks = array( $args['custom_dropdown_options_source'] );
-				}
-				$allowed_callbacks = array_unique( $allowed_callbacks );
-				$allowed_callbacks = implode( "\r\n", $allowed_callbacks );
+			if ( array_key_exists( 'custom_dropdown_options_source', $args ) ) {
+				if ( function_exists( wp_unslash( $args['custom_dropdown_options_source'] ) ) ) {
+					$allowed_callbacks = UM()->options()->get( 'allowed_choice_callbacks' );
+					if ( ! empty( $allowed_callbacks ) ) {
+						$allowed_callbacks = array_map( 'rtrim', explode( "\n", $allowed_callbacks ) );
+						$allowed_callbacks[] = $args['custom_dropdown_options_source'];
+					} else {
+						$allowed_callbacks = array( $args['custom_dropdown_options_source'] );
+					}
+					$allowed_callbacks = array_unique( $allowed_callbacks );
+					$allowed_callbacks = implode( "\r\n", $allowed_callbacks );

-				UM()->options()->update( 'allowed_choice_callbacks', $allowed_callbacks );
+					UM()->options()->update( 'allowed_choice_callbacks', $allowed_callbacks );
+				}
 			}

 			unset( $fields[ $id ]['in_row'] );
@@ -197,22 +199,26 @@ if ( ! class_exists( 'um\core\Fields' ) ) {
 				$args = array_merge( UM()->builtin()->predefined_fields[ $id ], $args );
 			}

-			$fields[ $id ] = $args;
+			if ( array_key_exists( 'custom_dropdown_options_source', $args ) ) {
+				if ( function_exists( wp_unslash( $args['custom_dropdown_options_source'] ) ) ) {
+					$allowed_callbacks = UM()->options()->get( 'allowed_choice_callbacks' );
+					if ( ! empty( $allowed_callbacks ) ) {
+						$allowed_callbacks = array_map( 'rtrim', explode( "\n", $allowed_callbacks ) );
+						$allowed_callbacks[] = $args['custom_dropdown_options_source'];
+					} else {
+						$allowed_callbacks = array( $args['custom_dropdown_options_source'] );
+					}
+					$allowed_callbacks = array_unique( $allowed_callbacks );
+					$allowed_callbacks = implode( "\r\n", $allowed_callbacks );

-			if ( array_key_exists( 'custom_dropdown_options_source', $args ) && function_exists( $args['custom_dropdown_options_source'] ) ) {
-				$allowed_callbacks = UM()->options()->get( 'allowed_choice_callbacks' );
-				if ( ! empty( $allowed_callbacks ) ) {
-					$allowed_callbacks = array_map( 'rtrim', explode( "\n", $allowed_callbacks ) );
-					$allowed_callbacks[] = $args['custom_dropdown_options_source'];
-				} else {
-					$allowed_callbacks = array( $args['custom_dropdown_options_source'] );
+					UM()->options()->update( 'allowed_choice_callbacks', $allowed_callbacks );
+
+					$args['custom_dropdown_options_source'] = wp_unslash( $args['custom_dropdown_options_source'] );
 				}
-				$allowed_callbacks = array_unique( $allowed_callbacks );
-				$allowed_callbacks = implode( "\r\n", $allowed_callbacks );
-
-				UM()->options()->update( 'allowed_choice_callbacks', $allowed_callbacks );
 			}

+			$fields[ $id ] = $args;
+
 			// for group field only
 			if ( $args['type'] == 'group' ) {
 				$fields[ $id ]['in_group'] = '';
@@ -132,13 +132,14 @@ if ( ! class_exists( 'um\core\Form' ) ) {
 			}

 			$allowed_callbacks = UM()->options()->get( 'allowed_choice_callbacks' );
+
 			if ( empty( $allowed_callbacks ) ) {
 				$arr_options['status']  = 'error';
 				$arr_options['message'] = __( 'This is not possible for security reasons.', 'ultimate-member' );
 				wp_send_json( $arr_options );
 			}

-			$allowed_callbacks = array_map( 'rtrim', explode( "\n", $allowed_callbacks ) );
+			$allowed_callbacks = array_map( 'rtrim', explode( "\n", wp_unslash( $allowed_callbacks ) ) );

 			if ( ! in_array( $ajax_source_func, $allowed_callbacks, true ) ) {
 				$arr_options['status']  = 'error';
@@ -612,6 +612,8 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
 							}
 						}

+						$attrs['custom_dropdown_options_source'] = wp_unslash( $attrs['custom_dropdown_options_source'] );
+
 						$ajax_source = apply_filters( "um_custom_dropdown_options_source__{$filter}", $attrs['custom_dropdown_options_source'], $attrs );
 						$custom_dropdown .= ' data-um-ajax-source="' . esc_attr( $ajax_source ) . '" ';

@@ -279,7 +279,20 @@ if ( ! class_exists( 'um\core\Query' ) ) {
 		 * @param $post_id
 		 * @param $new_value
 		 */
-		function update_attr( $key, $post_id, $new_value ){
+		function update_attr( $key, $post_id, $new_value ) {
+			/**
+			 * Post meta values are passed through the stripslashes() function upon being stored.
+			 * Function wp_slash() is added to compensate for the call to stripslashes().
+			 * @see https://developer.wordpress.org/reference/functions/update_post_meta/
+			 */
+			if ( is_array( $new_value ) ) {
+				foreach ( $new_value as $k => $val ) {
+					if ( is_array( $val ) && array_key_exists( 'custom_dropdown_options_source', $val ) ) {
+						$new_value[ $k ]['custom_dropdown_options_source'] = wp_slash( $val['custom_dropdown_options_source'] );
+					}
+				}
+			}
+
 			update_post_meta( $post_id, '_um_' . $key, $new_value );
 		}

@@ -94,7 +94,7 @@ if ( ! class_exists( 'um\core\Validation' ) ) {
 				if ( in_array( $fields[ $key ]['type'], array( 'select','multiselect' ) ) && 
 					isset( $fields[ $key ]['custom_dropdown_options_source'] ) &&
 					! empty( $fields[ $key ]['custom_dropdown_options_source'] ) &&
-					function_exists( $fields[ $key ]['custom_dropdown_options_source'] ) ){
+					function_exists( $fields[ $key ]['custom_dropdown_options_source'] ) ) {
 					$arr_options = call_user_func( $fields[ $key ]['custom_dropdown_options_source'] );
 					$fields[ $key ]['options'] = array_keys( $arr_options );
 				}