Formidable Forms – Form Builder for WordPress - Version 3.01.03

Version Description

  • Fix: Add responsive styling for the .frm_four_col class when grids are disabled
  • Fix: Fix number field HTML5 min, max, and step. This code was still in the pro form builder
  • Fix: More escaping for translated strings, and whitelist false positives for code security tools
  • Fix: When form builder is loaded with ajax, prevent errors when the default value is an array
  • Fix: Add a nonce check when updating settings for a form
  • Removed: Get rid of the start tour. We will add this back in a less annoying way.
Download this release

Release Info

Developer sswells
Plugin Icon 128x128 Formidable Forms – Form Builder for WordPress
Version 3.01.03
Comparing to
See all releases

Code changes from version 3.01.02 to 3.01.03

Files changed (73) hide show
  1. classes/controllers/FrmAddonsController.php +1 -1
  2. classes/controllers/FrmAppController.php +3 -40
  3. classes/controllers/FrmEntriesController.php +5 -5
  4. classes/controllers/FrmFieldsController.php +14 -7
  5. classes/controllers/FrmFormActionsController.php +5 -0
  6. classes/controllers/FrmFormsController.php +11 -11
  7. classes/controllers/FrmSettingsController.php +1 -1
  8. classes/helpers/FrmAppHelper.php +3 -3
  9. classes/helpers/FrmCSVExportHelper.php +1 -1
  10. classes/helpers/FrmEntriesListHelper.php +2 -2
  11. classes/helpers/FrmFieldsHelper.php +5 -5
  12. classes/helpers/FrmFormsHelper.php +8 -4
  13. classes/helpers/FrmListHelper.php +23 -23
  14. classes/helpers/FrmStylesHelper.php +1 -1
  15. classes/helpers/FrmXMLHelper.php +5 -5
  16. classes/models/FrmAddon.php +1 -1
  17. classes/models/FrmCreateFile.php +1 -1
  18. classes/models/FrmDb.php +4 -4
  19. classes/models/FrmEDD_SL_Plugin_Updater.php +8 -7
  20. classes/models/FrmEntry.php +3 -3
  21. classes/models/FrmEntryMeta.php +5 -5
  22. classes/models/FrmEntryValidate.php +1 -1
  23. classes/models/FrmField.php +1 -1
  24. classes/models/FrmForm.php +4 -4
  25. classes/models/FrmMigrate.php +8 -8
  26. classes/models/FrmNotification.php +1 -1
  27. classes/models/FrmPointers.php +4 -325
  28. classes/models/fields/FrmFieldCaptcha.php +2 -2
  29. classes/models/fields/FrmFieldDefault.php +2 -2
  30. classes/models/fields/FrmFieldNumber.php +7 -0
  31. classes/models/fields/FrmFieldTextarea.php +5 -4
  32. classes/models/fields/FrmFieldType.php +40 -2
  33. classes/models/fields/FrmFieldUserID.php +1 -1
  34. classes/views/frm-entries/_sidebar-shared-pub.php +1 -1
  35. classes/views/frm-entries/direct.php +1 -1
  36. classes/views/frm-entries/errors.php +1 -1
  37. classes/views/frm-entries/form.php +4 -4
  38. classes/views/frm-entries/new.php +2 -2
  39. classes/views/frm-entries/no_entries.php +4 -4
  40. classes/views/frm-entries/show.php +1 -1
  41. classes/views/frm-entries/sidebar-shared.php +5 -5
  42. classes/views/frm-fields/back-end/ajax-field-placeholder.php +1 -1
  43. classes/views/frm-fields/back-end/dropdown-field.php +2 -2
  44. classes/views/frm-fields/back-end/field-captcha.php +1 -1
  45. classes/views/frm-fields/back-end/html-content.php +1 -1
  46. classes/views/frm-fields/front-end/checkbox-field.php +2 -2
  47. classes/views/frm-fields/front-end/dropdown-field.php +1 -1
  48. classes/views/frm-fields/front-end/radio-field.php +2 -2
  49. classes/views/frm-fields/input.php +2 -2
  50. classes/views/frm-fields/radio.php +1 -1
  51. classes/views/frm-fields/show-build.php +1 -1
  52. classes/views/frm-fields/single-option.php +3 -1
  53. classes/views/frm-form-actions/_action_inside.php +4 -2
  54. classes/views/frm-form-actions/_email_settings.php +1 -1
  55. classes/views/frm-forms/add_field.php +10 -4
  56. classes/views/frm-forms/add_field_links.php +2 -2
  57. classes/views/frm-forms/form.php +1 -1
  58. classes/views/frm-forms/mb_html_tab.php +1 -1
  59. classes/views/frm-forms/settings.php +10 -7
  60. classes/views/frm-settings/form.php +2 -2
  61. classes/views/shared/errors.php +3 -3
  62. classes/views/shared/mb_adv_info.php +3 -3
  63. classes/views/styles/custom_css.php +1 -1
  64. classes/views/styles/show.php +1 -1
  65. classes/views/xml/forms_xml.php +12 -12
  66. classes/views/xml/posts_xml.php +8 -8
  67. classes/widgets/FrmShowForm.php +4 -4
  68. css/_single_theme.css.php +16 -16
  69. css/custom_theme.css.php +2 -2
  70. css/frm_old_grids.css +10 -0
  71. formidable.php +5 -1
  72. languages/formidable.pot +645 -767
  73. readme.txt +29 -21
classes/controllers/FrmAddonsController.php CHANGED
@@ -24,7 +24,7 @@ class FrmAddonsController {
24
  public static function license_settings() {
25
  $plugins = apply_filters( 'frm_installed_addons', array() );
26
  if ( empty( $plugins ) ) {
27
- _e( 'There are no plugins on your site that require a license', 'formidable' );
28
  return;
29
  }
30
 
24
  public static function license_settings() {
25
  $plugins = apply_filters( 'frm_installed_addons', array() );
26
  if ( empty( $plugins ) ) {
27
+ esc_html_e( 'There are no plugins on your site that require a license', 'formidable' );
28
  return;
29
  }
30
 
classes/controllers/FrmAppController.php CHANGED
@@ -147,7 +147,7 @@ class FrmAppController {
147
  ?>
148
  <div class="error" class="frm_previous_install">
149
  <?php
150
- echo apply_filters( 'frm_pro_update_msg',
151
  sprintf(
152
  esc_html__( 'This site has been previously authorized to run Formidable Forms. %1$sInstall Formidable Pro%2$s or %3$sdeauthorize%4$s this site to continue running the free version and remove this message.', 'formidable' ),
153
  '<br/><a href="' . esc_url( $inst_install_url ) . '" target="_blank">', '</a>',
@@ -175,8 +175,8 @@ class FrmAppController {
175
  $tip = FrmTipsHelper::get_banner_tip();
176
  ?>
177
  <div class="update-nag frm-update-to-pro">
178
- <?php echo FrmAppHelper::kses( $tip['tip'] ); ?>
179
- <span><?php echo FrmAppHelper::kses( $tip['call'] ); ?></span>
180
  <a href="<?php echo esc_url( FrmAppHelper::make_affiliate_url( 'https://formidableforms.com?banner=1&tip=' . absint( $tip['num'] ) ) ); ?>" class="button">Upgrade to Pro</a>
181
  </div>
182
  <?php
@@ -246,47 +246,10 @@ class FrmAppController {
246
  $action = FrmAppHelper::simple_get( 'action', 'sanitize_title' );
247
  if ( ! FrmAppHelper::doing_ajax() || $action == 'frm_import_choices' ) {
248
  // don't continue during ajax calls
249
- self::load_tour();
250
  self::admin_js();
251
  }
252
  }
253
 
254
- /**
255
- * See if we should start our tour.
256
- * @since 2.0.20
257
- */
258
- private static function load_tour() {
259
- $restart_tour = filter_input( INPUT_GET, 'frm_restart_tour' );
260
- if ( $restart_tour ) {
261
- delete_user_meta( get_current_user_id(), 'frm_ignore_tour' );
262
- }
263
- self::ignore_tour();
264
-
265
- if ( ! self::has_ignored_tour() ) {
266
- add_action( 'admin_enqueue_scripts', array( 'FrmPointers', 'get_instance' ) );
267
- }
268
- }
269
-
270
- /**
271
- * Returns the value of the ignore tour.
272
- *
273
- * @return bool
274
- */
275
- private static function has_ignored_tour() {
276
- $user_meta = get_user_meta( get_current_user_id(), 'frm_ignore_tour' );
277
-
278
- return ! empty( $user_meta );
279
- }
280
-
281
- /**
282
- * Listener for the ignore tour GET value. If this one is set, just set the user meta to true.
283
- */
284
- private static function ignore_tour() {
285
- if ( filter_input( INPUT_GET, 'frm_ignore_tour' ) && wp_verify_nonce( filter_input( INPUT_GET, 'nonce' ), 'frm-ignore-tour' ) ) {
286
- update_user_meta( get_current_user_id(), 'frm_ignore_tour', true );
287
- }
288
- }
289
-
290
  public static function admin_js() {
291
  $version = FrmAppHelper::plugin_version();
292
  FrmAppHelper::load_admin_wide_js( false );
147
  ?>
148
  <div class="error" class="frm_previous_install">
149
  <?php
150
+ echo apply_filters( 'frm_pro_update_msg', // WPCS: XSS ok.
151
  sprintf(
152
  esc_html__( 'This site has been previously authorized to run Formidable Forms. %1$sInstall Formidable Pro%2$s or %3$sdeauthorize%4$s this site to continue running the free version and remove this message.', 'formidable' ),
153
  '<br/><a href="' . esc_url( $inst_install_url ) . '" target="_blank">', '</a>',
175
  $tip = FrmTipsHelper::get_banner_tip();
176
  ?>
177
  <div class="update-nag frm-update-to-pro">
178
+ <?php echo FrmAppHelper::kses( $tip['tip'] ); // WPCS: XSS ok. ?>
179
+ <span><?php echo FrmAppHelper::kses( $tip['call'] ); // WPCS: XSS ok. ?></span>
180
  <a href="<?php echo esc_url( FrmAppHelper::make_affiliate_url( 'https://formidableforms.com?banner=1&tip=' . absint( $tip['num'] ) ) ); ?>" class="button">Upgrade to Pro</a>
181
  </div>
182
  <?php
246
  $action = FrmAppHelper::simple_get( 'action', 'sanitize_title' );
247
  if ( ! FrmAppHelper::doing_ajax() || $action == 'frm_import_choices' ) {
248
  // don't continue during ajax calls
 
249
  self::admin_js();
250
  }
251
  }
252
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
253
  public static function admin_js() {
254
  $version = FrmAppHelper::plugin_version();
255
  FrmAppHelper::load_admin_wide_js( false );
classes/controllers/FrmEntriesController.php CHANGED
@@ -396,7 +396,7 @@ class FrmEntriesController {
396
  if ( $pagenum > $total_pages && $total_pages > 0 ) {
397
  $url = add_query_arg( 'paged', $total_pages );
398
  if ( headers_sent() ) {
399
- echo FrmAppHelper::js_redirect( $url );
400
  } else {
401
  wp_redirect( esc_url_raw( $url ) );
402
  }
@@ -433,7 +433,7 @@ class FrmEntriesController {
433
  $entry = FrmEntry::getOne( $id, true );
434
  if ( ! $entry ) {
435
  echo '<div id="form_show_entry_page" class="wrap">' .
436
- __( 'You are trying to view an entry that does not exist.', 'formidable' ) .
437
  '</div>';
438
  return;
439
  }
@@ -470,7 +470,7 @@ class FrmEntriesController {
470
  public static function destroy_all() {
471
  if ( ! current_user_can( 'frm_delete_entries' ) ) {
472
  $frm_settings = FrmAppHelper::get_settings();
473
- wp_die( $frm_settings->admin_permission );
474
  }
475
 
476
  $params = FrmForm::get_admin_params();
@@ -520,8 +520,8 @@ class FrmEntriesController {
520
  $entry_query .= $form_query;
521
  }
522
 
523
- $wpdb->query( $meta_query );
524
- return $wpdb->query( $entry_query );
525
  }
526
 
527
  /**
396
  if ( $pagenum > $total_pages && $total_pages > 0 ) {
397
  $url = add_query_arg( 'paged', $total_pages );
398
  if ( headers_sent() ) {
399
+ echo FrmAppHelper::js_redirect( $url ); // WPCS: XSS ok.
400
  } else {
401
  wp_redirect( esc_url_raw( $url ) );
402
  }
433
  $entry = FrmEntry::getOne( $id, true );
434
  if ( ! $entry ) {
435
  echo '<div id="form_show_entry_page" class="wrap">' .
436
+ esc_html__( 'You are trying to view an entry that does not exist.', 'formidable' ) .
437
  '</div>';
438
  return;
439
  }
470
  public static function destroy_all() {
471
  if ( ! current_user_can( 'frm_delete_entries' ) ) {
472
  $frm_settings = FrmAppHelper::get_settings();
473
+ wp_die( esc_html( $frm_settings->admin_permission ) );
474
  }
475
 
476
  $params = FrmForm::get_admin_params();
520
  $entry_query .= $form_query;
521
  }
522
 
523
+ $wpdb->query( $meta_query ); // WPCS: unprepared SQL ok.
524
+ return $wpdb->query( $entry_query ); // WPCS: unprepared SQL ok.
525
  }
526
 
527
  /**
classes/controllers/FrmFieldsController.php CHANGED
@@ -33,6 +33,7 @@ class FrmFieldsController {
33
  }
34
  $field->field_options = json_decode( json_encode( $field->field_options ), true );
35
  $field->options = json_decode( json_encode( $field->options ), true );
 
36
 
37
  ob_start();
38
  self::load_single_field( $field, $values );
@@ -71,11 +72,6 @@ class FrmFieldsController {
71
  * @return array|bool
72
  */
73
  public static function include_new_field( $field_type, $form_id ) {
74
- $values = array();
75
- if ( FrmAppHelper::pro_is_installed() ) {
76
- $values['post_type'] = FrmProFormsHelper::post_type( $form_id );
77
- }
78
-
79
  $field_values = FrmFieldsHelper::setup_new_vars( $field_type, $form_id );
80
  $field_values = apply_filters( 'frm_before_field_created', $field_values );
81
 
@@ -86,6 +82,17 @@ class FrmFieldsController {
86
  }
87
 
88
  $field = self::get_field_array_from_id( $field_id );
 
 
 
 
 
 
 
 
 
 
 
89
  self::load_single_field( $field, $values, $form_id );
90
 
91
  return $field;
@@ -121,7 +128,7 @@ class FrmFieldsController {
121
 
122
  do_action( 'frm_after_update_field_' . $field, compact( 'id', 'value' ) );
123
 
124
- echo stripslashes( wp_kses_post( $value ) );
125
  wp_die();
126
  }
127
 
@@ -505,7 +512,7 @@ class FrmFieldsController {
505
  $add_html = ' ' . implode( ' ', $add_html ) . ' ';
506
 
507
  if ( $echo ) {
508
- echo $add_html;
509
  }
510
 
511
  return $add_html;
33
  }
34
  $field->field_options = json_decode( json_encode( $field->field_options ), true );
35
  $field->options = json_decode( json_encode( $field->options ), true );
36
+ $field->default_value = json_decode( json_encode( $field->default_value ), true );
37
 
38
  ob_start();
39
  self::load_single_field( $field, $values );
72
  * @return array|bool
73
  */
74
  public static function include_new_field( $field_type, $form_id ) {
 
 
 
 
 
75
  $field_values = FrmFieldsHelper::setup_new_vars( $field_type, $form_id );
76
  $field_values = apply_filters( 'frm_before_field_created', $field_values );
77
 
82
  }
83
 
84
  $field = self::get_field_array_from_id( $field_id );
85
+
86
+ $values = array();
87
+ if ( FrmAppHelper::pro_is_installed() ) {
88
+ $values['post_type'] = FrmProFormsHelper::post_type( $form_id );
89
+
90
+ $parent_form_id = FrmDb::get_var( 'frm_forms', array( 'id' => $form_id ), 'parent_form_id' );
91
+ if ( $parent_form_id ) {
92
+ $field['parent_form_id'] = $parent_form_id;
93
+ }
94
+ }
95
+
96
  self::load_single_field( $field, $values, $form_id );
97
 
98
  return $field;
128
 
129
  do_action( 'frm_after_update_field_' . $field, compact( 'id', 'value' ) );
130
 
131
+ echo stripslashes( wp_kses_post( $value ) ); // WPCS: XSS ok.
132
  wp_die();
133
  }
134
 
512
  $add_html = ' ' . implode( ' ', $add_html ) . ' ';
513
 
514
  if ( $echo ) {
515
+ echo $add_html; // WPCS: XSS ok.
516
  }
517
 
518
  return $add_html;
classes/controllers/FrmFormActionsController.php CHANGED
@@ -201,6 +201,11 @@ class FrmFormActionsController {
201
  }
202
 
203
  public static function update_settings( $form_id ) {
 
 
 
 
 
204
  global $wpdb;
205
 
206
  $registered_actions = self::$registered_actions->actions;
201
  }
202
 
203
  public static function update_settings( $form_id ) {
204
+ $process_form = FrmAppHelper::get_post_param( 'process_form', '', 'sanitize_text_field' );
205
+ if ( ! wp_verify_nonce( $process_form, 'process_form_nonce' ) ) {
206
+ wp_die( esc_html__( 'You do not have permission to do that', 'formidable' ) );
207
+ }
208
+
209
  global $wpdb;
210
 
211
  $registered_actions = self::$registered_actions->actions;
classes/controllers/FrmFormsController.php CHANGED
@@ -136,7 +136,7 @@ class FrmFormsController {
136
  } else {
137
  FrmForm::update( $id, $values, true );
138
  $url = admin_url( 'admin.php?page=formidable&frm_action=settings&id=' . $id );
139
- die( FrmAppHelper::js_redirect( $url ) );
140
  }
141
  }
142
 
@@ -198,7 +198,7 @@ class FrmFormsController {
198
  FrmForm::update( $id, $values );
199
  $message = __( 'Form was Successfully Updated', 'formidable' );
200
  if ( defined( 'DOING_AJAX' ) ) {
201
- wp_die( $message );
202
  }
203
  return self::get_edit_vars( $id, array(), $message );
204
  }
@@ -253,7 +253,7 @@ class FrmFormsController {
253
  * @since 3.0
254
  */
255
  public static function show_page_preview() {
256
- echo self::page_preview();
257
  }
258
 
259
  public static function preview() {
@@ -676,11 +676,11 @@ class FrmFormsController {
676
 
677
  $form = FrmForm::getOne( $id );
678
  if ( ! $form ) {
679
- wp_die( __( 'You are trying to edit a form that does not exist.', 'formidable' ) );
680
  }
681
 
682
  if ( $form->parent_form_id ) {
683
- wp_die( sprintf( __( 'You are trying to edit a child form. Please edit from %1$shere%2$s', 'formidable' ), '<a href="' . esc_url( admin_url( 'admin.php?page=formidable&frm_action=edit&id=' . $form->parent_form_id ) ) . '">', '</a>' ) );
684
  }
685
 
686
  $frm_field_selection = FrmField::field_selection();
@@ -708,7 +708,7 @@ class FrmFormsController {
708
  $all_templates = FrmForm::getAll( array( 'is_template' => 1 ), 'name' );
709
 
710
  if ( $form->default_template ) {
711
- wp_die( __( 'That template cannot be edited', 'formidable' ) );
712
  } elseif ( defined( 'DOING_AJAX' ) ) {
713
  wp_die();
714
  } else if ( $create_link ) {
@@ -729,7 +729,7 @@ class FrmFormsController {
729
  $values = FrmAppHelper::setup_edit_vars( $form, 'forms', $fields, true );
730
 
731
  if ( isset( $values['default_template'] ) && $values['default_template'] ) {
732
- wp_die( __( 'That template cannot be edited', 'formidable' ) );
733
  }
734
 
735
  self::clean_submit_html( $values );
@@ -851,7 +851,7 @@ class FrmFormsController {
851
  FrmAppHelper::permission_check( 'frm_view_forms' );
852
  check_ajax_referer( 'frm_ajax', 'nonce' );
853
 
854
- echo FrmEntriesController::show_entry_shortcode( array(
855
  'form_id' => FrmAppHelper::get_post_param( 'form_id', '', 'absint' ),
856
  'default_email' => true,
857
  'plain_text' => FrmAppHelper::get_post_param( 'plain_text', '', 'absint' ),
@@ -933,7 +933,7 @@ class FrmFormsController {
933
  }
934
 
935
  if ( isset( $message ) && ! empty( $message ) ) {
936
- echo '<div id="message" class="updated frm_updated_message">' . FrmAppHelper::kses( $message, array( 'a' ) ) . '</div>';
937
  }
938
 
939
  return $errors;
@@ -1383,7 +1383,7 @@ class FrmFormsController {
1383
  $old_post = $post;
1384
  $post = $page;
1385
  $content = apply_filters( 'frm_content', $page->post_content, $args['form'], $args['entry_id'] );
1386
- echo apply_filters( 'the_content', $content );
1387
  $post = $old_post;
1388
  }
1389
  }
@@ -1422,7 +1422,7 @@ class FrmFormsController {
1422
  } else {
1423
  add_filter( 'frm_use_wpautop', '__return_true' );
1424
 
1425
- echo $redirect_msg;
1426
  echo "<script type='text/javascript'>window.onload = function(){setTimeout(window.location='" . esc_url_raw( $success_url ) . "', 8000);}</script>";
1427
  }
1428
  }
136
  } else {
137
  FrmForm::update( $id, $values, true );
138
  $url = admin_url( 'admin.php?page=formidable&frm_action=settings&id=' . $id );
139
+ die( FrmAppHelper::js_redirect( $url ) ); // WPCS: XSS ok.
140
  }
141
  }
142
 
198
  FrmForm::update( $id, $values );
199
  $message = __( 'Form was Successfully Updated', 'formidable' );
200
  if ( defined( 'DOING_AJAX' ) ) {
201
+ wp_die( esc_html( $message ) );
202
  }
203
  return self::get_edit_vars( $id, array(), $message );
204
  }
253
  * @since 3.0
254
  */
255
  public static function show_page_preview() {
256
+ echo self::page_preview(); // WPCS: XSS ok.
257
  }
258
 
259
  public static function preview() {
676
 
677
  $form = FrmForm::getOne( $id );
678
  if ( ! $form ) {
679
+ wp_die( esc_html__( 'You are trying to edit a form that does not exist.', 'formidable' ) );
680
  }
681
 
682
  if ( $form->parent_form_id ) {
683
+ wp_die( sprintf( esc_html__( 'You are trying to edit a child form. Please edit from %1$shere%2$s', 'formidable' ), '<a href="' . esc_url( admin_url( 'admin.php?page=formidable&frm_action=edit&id=' . $form->parent_form_id ) ) . '">', '</a>' ) );
684
  }
685
 
686
  $frm_field_selection = FrmField::field_selection();
708
  $all_templates = FrmForm::getAll( array( 'is_template' => 1 ), 'name' );
709
 
710
  if ( $form->default_template ) {
711
+ wp_die( esc_html__( 'That template cannot be edited', 'formidable' ) );
712
  } elseif ( defined( 'DOING_AJAX' ) ) {
713
  wp_die();
714
  } else if ( $create_link ) {
729
  $values = FrmAppHelper::setup_edit_vars( $form, 'forms', $fields, true );
730
 
731
  if ( isset( $values['default_template'] ) && $values['default_template'] ) {
732
+ wp_die( esc_html__( 'That template cannot be edited', 'formidable' ) );
733
  }
734
 
735
  self::clean_submit_html( $values );
851
  FrmAppHelper::permission_check( 'frm_view_forms' );
852
  check_ajax_referer( 'frm_ajax', 'nonce' );
853
 
854
+ echo FrmEntriesController::show_entry_shortcode( array( // WPCS: XSS ok.
855
  'form_id' => FrmAppHelper::get_post_param( 'form_id', '', 'absint' ),
856
  'default_email' => true,
857
  'plain_text' => FrmAppHelper::get_post_param( 'plain_text', '', 'absint' ),
933
  }
934
 
935
  if ( isset( $message ) && ! empty( $message ) ) {
936
+ echo '<div id="message" class="updated frm_updated_message">' . FrmAppHelper::kses( $message, array( 'a' ) ) . '</div>'; // WPCS: XSS ok.
937
  }
938
 
939
  return $errors;
1383
  $old_post = $post;
1384
  $post = $page;
1385
  $content = apply_filters( 'frm_content', $page->post_content, $args['form'], $args['entry_id'] );
1386
+ echo apply_filters( 'the_content', $content ); // WPCS: XSS ok.
1387
  $post = $old_post;
1388
  }
1389
  }
1422
  } else {
1423
  add_filter( 'frm_use_wpautop', '__return_true' );
1424
 
1425
+ echo $redirect_msg; // WPCS: XSS ok.
1426
  echo "<script type='text/javascript'>window.onload = function(){setTimeout(window.location='" . esc_url_raw( $success_url ) . "', 8000);}</script>";
1427
  }
1428
  }
classes/controllers/FrmSettingsController.php CHANGED
@@ -72,7 +72,7 @@ class FrmSettingsController {
72
 
73
  $process_form = FrmAppHelper::get_post_param( 'process_form', '', 'sanitize_text_field' );
74
  if ( ! wp_verify_nonce( $process_form, 'process_form_nonce' ) ) {
75
- wp_die( $frm_settings->admin_permission );
76
  }
77
 
78
  $errors = array();
72
 
73
  $process_form = FrmAppHelper::get_post_param( 'process_form', '', 'sanitize_text_field' );
74
  if ( ! wp_verify_nonce( $process_form, 'process_form_nonce' ) ) {
75
+ wp_die( esc_html( $frm_settings->admin_permission ) );
76
  }
77
 
78
  $errors = array();
classes/helpers/FrmAppHelper.php CHANGED
@@ -11,7 +11,7 @@ class FrmAppHelper {
11
  /**
12
  * @since 2.0
13
  */
14
- public static $plug_version = '3.01.02';
15
 
16
  /**
17
  * @since 1.07.02
@@ -774,7 +774,7 @@ class FrmAppHelper {
774
  if ( 'hide' == $show_message ) {
775
  $permission_error = '';
776
  }
777
- wp_die( $permission_error );
778
  }
779
  }
780
 
@@ -1680,7 +1680,7 @@ class FrmAppHelper {
1680
 
1681
  $wp_list_table = _get_list_table( 'WP_Plugins_List_Table' );
1682
  echo '<tr class="plugin-update-tr active"><th colspan="' . absint( $wp_list_table->get_column_count() ) . '" class="check-column plugin-update colspanchange"><div class="update-message">' .
1683
- __( 'You are running an outdated version of Formidable. This plugin may not work correctly if you do not update Formidable.', 'formidable' ) .
1684
  '</div></td></tr>';
1685
  }
1686
 
11
  /**
12
  * @since 2.0
13
  */
14
+ public static $plug_version = '3.01.03';
15
 
16
  /**
17
  * @since 1.07.02
774
  if ( 'hide' == $show_message ) {
775
  $permission_error = '';
776
  }
777
+ wp_die( esc_html( $permission_error ) );
778
  }
779
  }
780
 
1680
 
1681
  $wp_list_table = _get_list_table( 'WP_Plugins_List_Table' );
1682
  echo '<tr class="plugin-update-tr active"><th colspan="' . absint( $wp_list_table->get_column_count() ) . '" class="check-column plugin-update colspanchange"><div class="update-message">' .
1683
+ esc_html__( 'You are running an outdated version of Formidable. This plugin may not work correctly if you do not update Formidable.', 'formidable' ) .
1684
  '</div></td></tr>';
1685
  }
1686
 
classes/helpers/FrmCSVExportHelper.php CHANGED
@@ -269,7 +269,7 @@ class FrmCSVExportHelper {
269
  $val = str_replace( array( "\r\n", "\r", "\n" ), self::$line_break, $val );
270
  }
271
 
272
- echo $sep . '"' . $val . '"';
273
  $sep = self::$column_separator;
274
 
275
  unset( $k, $row );
269
  $val = str_replace( array( "\r\n", "\r", "\n" ), self::$line_break, $val );
270
  }
271
 
272
+ echo $sep . '"' . $val . '"'; // WPCS: XSS ok.
273
  $sep = self::$column_separator;
274
 
275
  unset( $k, $row );
classes/helpers/FrmEntriesListHelper.php CHANGED
@@ -98,7 +98,7 @@ class FrmEntriesListHelper extends FrmListHelper {
98
  $form_id = FrmAppHelper::simple_get( 'form', 'absint' );
99
  if ( $which == 'top' && empty( $form_id ) ) {
100
  echo '<div class="alignleft actions">';
101
- echo FrmFormsHelper::forms_dropdown( 'form', $form_id, array( 'blank' => __( 'View all forms', 'formidable' ) ) );
102
  submit_button( __( 'Filter' ), 'filter_action', '', false, array( 'id' => 'post-query-submit' ) );
103
  echo '</div>';
104
  }
@@ -209,7 +209,7 @@ class FrmEntriesListHelper extends FrmListHelper {
209
  $val = '<abbr title="' . esc_attr( FrmAppHelper::get_formatted_time( $item->{$col_name}, '', 'g:i:s A' ) ) . '">' . $date . '</abbr>';
210
  break;
211
  case 'is_draft':
212
- $val = empty( $item->is_draft ) ? __( 'No' ) : __( 'Yes' );
213
  break;
214
  case 'form_id':
215
  $val = FrmFormsHelper::edit_form_link( $item->form_id );
98
  $form_id = FrmAppHelper::simple_get( 'form', 'absint' );
99
  if ( $which == 'top' && empty( $form_id ) ) {
100
  echo '<div class="alignleft actions">';
101
+ echo FrmFormsHelper::forms_dropdown( 'form', $form_id, array( 'blank' => __( 'View all forms', 'formidable' ) ) ); // WPCS: XSS ok.
102
  submit_button( __( 'Filter' ), 'filter_action', '', false, array( 'id' => 'post-query-submit' ) );
103
  echo '</div>';
104
  }
209
  $val = '<abbr title="' . esc_attr( FrmAppHelper::get_formatted_time( $item->{$col_name}, '', 'g:i:s A' ) ) . '">' . $date . '</abbr>';
210
  break;
211
  case 'is_draft':
212
+ $val = empty( $item->is_draft ) ? esc_html__( 'No' ) : esc_html__( 'Yes' );
213
  break;
214
  case 'form_id':
215
  $val = FrmFormsHelper::edit_form_link( $item->form_id );
classes/helpers/FrmFieldsHelper.php CHANGED
@@ -475,10 +475,10 @@ class FrmFieldsHelper {
475
  return '';
476
  }
477
 
478
- $link = sprintf(
479
- __( 'Please add options from the WordPress "%1$s" page', 'formidable' ),
480
- '<a href="' . esc_url( admin_url( 'edit-tags.php?taxonomy=' . $tax->name ) ) . '" target="_blank">' . ( empty( $tax->labels->name ) ? __( 'Categories' ) : $tax->labels->name ) . '</a>'
481
- );
482
  unset( $tax );
483
 
484
  return $link;
@@ -1094,7 +1094,7 @@ class FrmFieldsHelper {
1094
 
1095
  ?><label for="<?php echo esc_attr( $other_id ) ?>" class="frm_screen_reader frm_hidden"><?php
1096
  echo esc_html( $label );
1097
- ?></label><input type="text" id="<?php echo esc_attr( $other_id ) ?>" class="<?php echo sanitize_text_field( implode( ' ', $classes ) ) ?>" <?php
1098
  echo ( $args['read_only'] ? ' readonly="readonly" disabled="disabled"' : '' );
1099
  ?> name="<?php echo esc_attr( $args['name'] ) ?>" value="<?php echo esc_attr( $args['value'] ); ?>" /><?php
1100
  }
475
  return '';
476
  }
477
 
478
+ $link = sprintf(
479
+ esc_html__( 'Please add options from the WordPress "%1$s" page', 'formidable' ),
480
+ '<a href="' . esc_url( admin_url( 'edit-tags.php?taxonomy=' . $tax->name ) ) . '" target="_blank">' . ( empty( $tax->labels->name ) ? esc_html__( 'Categories' ) : $tax->labels->name ) . '</a>'
481
+ );
482
  unset( $tax );
483
 
484
  return $link;
1094
 
1095
  ?><label for="<?php echo esc_attr( $other_id ) ?>" class="frm_screen_reader frm_hidden"><?php
1096
  echo esc_html( $label );
1097
+ ?></label><input type="text" id="<?php echo esc_attr( $other_id ) ?>" class="<?php echo esc_attr( implode( ' ', $classes ) ) ?>" <?php
1098
  echo ( $args['read_only'] ? ' readonly="readonly" disabled="disabled"' : '' );
1099
  ?> name="<?php echo esc_attr( $args['name'] ) ?>" value="<?php echo esc_attr( $args['value'] ); ?>" /><?php
1100
  }
classes/helpers/FrmFormsHelper.php CHANGED
@@ -46,7 +46,7 @@ class FrmFormsHelper {
46
  self::add_html_attr( $args['class'], 'class', $add_html );
47
 
48
  ?>
49
- <select name="<?php echo esc_attr( $field_name ); ?>" id="<?php echo esc_attr( $args['field_id'] ) ?>" <?php echo implode( ' ', $add_html ); ?>>
50
  <?php if ( $args['blank'] ) { ?>
51
  <option value=""><?php echo ( $args['blank'] == 1 ) ? ' ' : '- ' . esc_attr( $args['blank'] ) . ' -'; ?></option>
52
  <?php } ?>
@@ -336,7 +336,7 @@ BEFORE_HTML;
336
  public static function get_custom_submit( $html, $form, $submit, $form_action, $values ) {
337
  $button = self::replace_shortcodes( $html, $form, $submit, $form_action, $values );
338
  if ( ! strpos( $button, '[button_action]' ) ) {
339
- echo $button;
340
  return;
341
  }
342
 
@@ -353,9 +353,9 @@ BEFORE_HTML;
353
  }
354
  }
355
 
356
- echo $button_parts[0];
357
  do_action( 'frm_submit_button_action', $form, $form_action );
358
- echo $button_parts[1];
359
  }
360
 
361
  /**
@@ -561,6 +561,10 @@ BEFORE_HTML;
561
  * @return bool
562
  */
563
  private static function form_has_top_labels( $form ) {
 
 
 
 
564
  $fields = $form['fields'];
565
  if ( count( $fields ) <= 0 ) {
566
  return false;
46
  self::add_html_attr( $args['class'], 'class', $add_html );
47
 
48
  ?>
49
+ <select name="<?php echo esc_attr( $field_name ); ?>" id="<?php echo esc_attr( $args['field_id'] ) ?>" <?php echo wp_strip_all_tags( implode( ' ', $add_html ) ); // WPCS: XSS ok. ?>>
50
  <?php if ( $args['blank'] ) { ?>
51
  <option value=""><?php echo ( $args['blank'] == 1 ) ? ' ' : '- ' . esc_attr( $args['blank'] ) . ' -'; ?></option>
52
  <?php } ?>
336
  public static function get_custom_submit( $html, $form, $submit, $form_action, $values ) {
337
  $button = self::replace_shortcodes( $html, $form, $submit, $form_action, $values );
338
  if ( ! strpos( $button, '[button_action]' ) ) {
339
+ echo $button; // WPCS: XSS ok.
340
  return;
341
  }
342
 
353
  }
354
  }
355
 
356
+ echo $button_parts[0]; // WPCS: XSS ok.
357
  do_action( 'frm_submit_button_action', $form, $form_action );
358
+ echo $button_parts[1]; // WPCS: XSS ok.
359
  }
360
 
361
  /**
561
  * @return bool
562
  */
563
  private static function form_has_top_labels( $form ) {
564
+ if ( ! isset( $form['fields'] ) ) {
565
+ return false;
566
+ }
567
+
568
  $fields = $form['fields'];
569
  if ( count( $fields ) <= 0 ) {
570
  return false;
classes/helpers/FrmListHelper.php CHANGED
@@ -133,7 +133,7 @@ class FrmListHelper {
133
 
134
  public function display_rows() {
135
  foreach ( $this->items as $item ) {
136
- echo "\n\t", $this->single_row( $item );
137
  }
138
  }
139
 
@@ -228,7 +228,7 @@ class FrmListHelper {
228
  * @access public
229
  */
230
  public function no_items() {
231
- _e( 'No items found.' );
232
  }
233
 
234
  /**
@@ -304,9 +304,9 @@ class FrmListHelper {
304
 
305
  echo "<ul class='subsubsub'>\n";
306
  foreach ( $views as $class => $view ) {
307
- $views[ $class ] = "\t<li class='$class'>$view";
308
  }
309
- echo implode( " |</li>\n", $views ) . "</li>\n";
310
  echo '</ul>';
311
  }
312
 
@@ -367,7 +367,7 @@ class FrmListHelper {
367
  foreach ( $this->_actions as $name => $title ) {
368
  $class = 'edit' == $name ? ' class="hide-if-no-js"' : '';
369
 
370
- echo "\t<option value='" . esc_attr( $name ) . "'$class>$title</option>\n";
371
  }
372
 
373
  echo "</select>\n";
@@ -460,10 +460,10 @@ class FrmListHelper {
460
  }
461
 
462
  printf(
463
- "<a href='%s' class='%s' id='view-switch-$mode'><span class='screen-reader-text'>%s</span></a>\n",
464
  esc_url( add_query_arg( 'mode', $mode ) ),
465
- implode( ' ', $classes ),
466
- $title
467
  );
468
  }
469
  ?>
@@ -597,7 +597,7 @@ class FrmListHelper {
597
  if ( ! empty( $infinite_scroll ) ) {
598
  $pagination_links_class = ' hide-if-js';
599
  }
600
- $output .= "\n<span class='$pagination_links_class'>" . join( "\n", $page_links ) . '</span>';
601
 
602
  if ( $total_pages ) {
603
  $page_class = $total_pages < 2 ? ' one-page' : '';
@@ -606,7 +606,7 @@ class FrmListHelper {
606
  }
607
  $this->_pagination = "<div class='tablenav-pages" . esc_attr( $page_class ) . "'>$output</div>";
608
 
609
- echo $this->_pagination;
610
  }
611
 
612
  private function disabled_pages( $total_pages ) {
@@ -887,7 +887,7 @@ class FrmListHelper {
887
  $class[] = $desc_first ? 'asc' : 'desc';
888
  }
889
 
890
- $column_display_name = '<a href="' . esc_url( add_query_arg( compact( 'orderby', 'order' ), $current_url ) ) . '"><span>' . $column_display_name . '</span><span class="sorting-indicator"></span></a>';
891
  }
892
 
893
  $tag = ( 'cb' === $column_key ) ? 'td' : 'th';
@@ -895,10 +895,10 @@ class FrmListHelper {
895
  $id = $with_id ? "id='" . esc_attr( $column_key ) . "'" : '';
896
 
897
  if ( ! empty( $class ) ) {
898
- $class = "class='" . join( ' ', $class ) . "'";
899
  }
900
 
901
- echo "<$tag $scope $id $class>$column_display_name</$tag>";
902
  }
903
  }
904
 
@@ -920,7 +920,7 @@ class FrmListHelper {
920
  </tr>
921
  </thead>
922
 
923
- <tbody id="the-list"<?php echo ( $singular ? " data-wp-lists='list:" . esc_attr( $singular ) . "'" : '' ); ?>>
924
  <?php $this->display_rows_or_placeholder(); ?>
925
  </tbody>
926
 
@@ -1037,14 +1037,14 @@ class FrmListHelper {
1037
 
1038
  // Comments column uses HTML in the display name with screen reader text.
1039
  // Instead of using esc_attr(), we strip tags to get closer to a user-friendly string.
1040
- $data = 'data-colname="' . wp_strip_all_tags( $column_display_name ) . '"';
1041
 
1042
- $attributes = "class='$classes' $data";
1043
 
1044
  if ( 'cb' == $column_name ) {
1045
  echo '<th scope="row" class="check-column"></th>';
1046
  } elseif ( method_exists( $this, '_column_' . $column_name ) ) {
1047
- echo call_user_func(
1048
  array( $this, '_column_' . $column_name ),
1049
  $item,
1050
  $classes,
@@ -1052,13 +1052,13 @@ class FrmListHelper {
1052
  $primary
1053
  );
1054
  } elseif ( method_exists( $this, 'column_' . $column_name ) ) {
1055
- echo "<td $attributes>";
1056
- echo call_user_func( array( $this, 'column_' . $column_name ), $item );
1057
- echo $this->handle_row_actions( $item, $column_name, $primary );
1058
  echo '</td>';
1059
  } else {
1060
- echo "<td $attributes>";
1061
- echo $this->handle_row_actions( $item, $column_name, $primary );
1062
  echo '</td>';
1063
  }
1064
  }
@@ -1076,7 +1076,7 @@ class FrmListHelper {
1076
  * @return string The row actions output. In this case, an empty string.
1077
  */
1078
  protected function handle_row_actions( $item, $column_name, $primary ) {
1079
- return $column_name == $primary ? '<button type="button" class="toggle-row"><span class="screen-reader-text">' . __( 'Show more details' ) . '</span></button>' : '';
1080
  }
1081
 
1082
  /**
133
 
134
  public function display_rows() {
135
  foreach ( $this->items as $item ) {
136
+ echo "\n\t", $this->single_row( $item ); // WPCS: XSS ok.
137
  }
138
  }
139
 
228
  * @access public
229
  */
230
  public function no_items() {
231
+ esc_html_e( 'No items found.' );
232
  }
233
 
234
  /**
304
 
305
  echo "<ul class='subsubsub'>\n";
306
  foreach ( $views as $class => $view ) {
307
+ $views[ $class ] = "\t" . '<li class="' . esc_attr( $class ) . '">' . $view;
308
  }
309
+ echo implode( " |</li>\n", $views ) . "</li>\n"; // WPCS: XSS ok.
310
  echo '</ul>';
311
  }
312
 
367
  foreach ( $this->_actions as $name => $title ) {
368
  $class = 'edit' == $name ? ' class="hide-if-no-js"' : '';
369
 
370
+ echo "\t<option value='" . esc_attr( $name ) . "'$class>" . esc_html( $title ) . "</option>\n"; // WPCS: XSS ok.
371
  }
372
 
373
  echo "</select>\n";
460
  }
461
 
462
  printf(
463
+ '<a href="%s" class="%s" id="view-switch-' . esc_attr( $mode ) . '"><span class="screen-reader-text">%s</span></a>' . "\n",
464
  esc_url( add_query_arg( 'mode', $mode ) ),
465
+ esc_attr( implode( ' ', $classes ) ),
466
+ esc_html( $title )
467
  );
468
  }
469
  ?>
597
  if ( ! empty( $infinite_scroll ) ) {
598
  $pagination_links_class = ' hide-if-js';
599
  }
600
+ $output .= "\n" . '<span class="' . esc_attr( $pagination_links_class ) . '">' . join( "\n", $page_links ) . '</span>';
601
 
602
  if ( $total_pages ) {
603
  $page_class = $total_pages < 2 ? ' one-page' : '';
606
  }
607
  $this->_pagination = "<div class='tablenav-pages" . esc_attr( $page_class ) . "'>$output</div>";
608
 
609
+ echo $this->_pagination; // WPCS: XSS ok.
610
  }
611
 
612
  private function disabled_pages( $total_pages ) {
887
  $class[] = $desc_first ? 'asc' : 'desc';
888
  }
889
 
890
+ $column_display_name = '<a href="' . esc_url( add_query_arg( compact( 'orderby', 'order' ), $current_url ) ) . '"><span>' . esc_html( $column_display_name ) . '</span><span class="sorting-indicator"></span></a>';
891
  }
892
 
893
  $tag = ( 'cb' === $column_key ) ? 'td' : 'th';
895
  $id = $with_id ? "id='" . esc_attr( $column_key ) . "'" : '';
896
 
897
  if ( ! empty( $class ) ) {
898
+ $class = "class='" . esc_attr( join( ' ', $class ) ) . "'";
899
  }
900
 
901
+ echo "<$tag $scope $id $class>$column_display_name</$tag>"; // WPCS: XSS ok.
902
  }
903
  }
904
 
920
  </tr>
921
  </thead>
922
 
923
+ <tbody id="the-list"<?php echo ( $singular ? " data-wp-lists='list:" . esc_attr( $singular ) . "'" : '' ); // WPCS: XSS ok. ?>>
924
  <?php $this->display_rows_or_placeholder(); ?>
925
  </tbody>
926
 
1037
 
1038
  // Comments column uses HTML in the display name with screen reader text.
1039
  // Instead of using esc_attr(), we strip tags to get closer to a user-friendly string.
1040
+ $data = 'data-colname="' . esc_attr( $column_display_name ) . '"';
1041
 
1042
+ $attributes = 'class="' . esc_attr( $classes ) . '" ' . $data;
1043
 
1044
  if ( 'cb' == $column_name ) {
1045
  echo '<th scope="row" class="check-column"></th>';
1046
  } elseif ( method_exists( $this, '_column_' . $column_name ) ) {
1047
+ echo call_user_func( // WPCS: XSS ok.
1048
  array( $this, '_column_' . $column_name ),
1049
  $item,
1050
  $classes,
1052
  $primary
1053
  );
1054
  } elseif ( method_exists( $this, 'column_' . $column_name ) ) {
1055
+ echo "<td $attributes>"; // WPCS: XSS ok.
1056
+ echo call_user_func( array( $this, 'column_' . $column_name ), $item ); // WPCS: XSS ok.
1057
+ echo $this->handle_row_actions( $item, $column_name, $primary ); // WPCS: XSS ok.
1058
  echo '</td>';
1059
  } else {
1060
+ echo "<td $attributes>"; // WPCS: XSS ok.
1061
+ echo $this->handle_row_actions( $item, $column_name, $primary ); // WPCS: XSS ok.
1062
  echo '</td>';
1063
  }
1064
  }
1076
  * @return string The row actions output. In this case, an empty string.
1077
  */
1078
  protected function handle_row_actions( $item, $column_name, $primary ) {
1079
+ return $column_name == $primary ? '<button type="button" class="toggle-row"><span class="screen-reader-text">' . esc_html__( 'Show more details' ) . '</span></button>' : '';
1080
  }
1081
 
1082
  /**
classes/helpers/FrmStylesHelper.php CHANGED
@@ -226,7 +226,7 @@ class FrmStylesHelper {
226
  <select name="<?php echo esc_attr( $frm_style->get_field_name( $name ) ); ?>" id="frm_<?php echo esc_attr( $name ); ?>" class="frm_icon_font frm_multiselect hide-if-js">
227
  <?php foreach ( $icons as $key => $icon ) { ?>
228
  <option value="<?php echo esc_attr( $key ) ?>" <?php selected( $style->post_content[ $name ], $key ) ?>>
229
- <?php echo '&#xe' . $icon['+'] . '; &#xe' . $icon['-'] . ';'; ?>
230
  </option>
231
  <?php } ?>
232
  </select>
226
  <select name="<?php echo esc_attr( $frm_style->get_field_name( $name ) ); ?>" id="frm_<?php echo esc_attr( $name ); ?>" class="frm_icon_font frm_multiselect hide-if-js">
227
  <?php foreach ( $icons as $key => $icon ) { ?>
228
  <option value="<?php echo esc_attr( $key ) ?>" <?php selected( $style->post_content[ $name ], $key ) ?>>
229
+ <?php echo '&#xe' . esc_html( $icon['+'] ) . '; &#xe' . esc_html( $icon['-'] ) . ';'; ?>
230
  </option>
231
  <?php } ?>
232
  </select>
classes/helpers/FrmXMLHelper.php CHANGED
@@ -8,17 +8,17 @@ class FrmXMLHelper {
8
  public static function get_xml_values( $opt, $padding ) {
9
  if ( is_array( $opt ) ) {
10
  foreach ( $opt as $ok => $ov ) {
11
- echo "\n" . $padding;
12
  $tag = ( is_numeric( $ok ) ? 'key:' : '' ) . $ok;
13
- echo '<' . $tag . '>';
14
  self::get_xml_values( $ov, $padding . ' ' );
15
  if ( is_array( $ov ) ) {
16
- echo "\n" . $padding;
17
  }
18
- echo '</' . $tag . '>';
19
  }
20
  } else {
21
- echo self::cdata( $opt );
22
  }
23
  }
24
 
8
  public static function get_xml_values( $opt, $padding ) {
9
  if ( is_array( $opt ) ) {
10
  foreach ( $opt as $ok => $ov ) {
11
+ echo "\n" . esc_html( $padding );
12
  $tag = ( is_numeric( $ok ) ? 'key:' : '' ) . $ok;
13
+ echo '<' . esc_html( $tag ) . '>';
14
  self::get_xml_values( $ov, $padding . ' ' );
15
  if ( is_array( $ov ) ) {
16
+ echo "\n" . esc_html( $padding );
17
  }
18
+ echo '</' . esc_html( $tag ) . '>';
19
  }
20
  } else {
21
+ echo self::cdata( $opt ); // WPCS: XSS ok.
22
  }
23
  }
24
 
classes/models/FrmAddon.php CHANGED
@@ -248,7 +248,7 @@ class FrmAddon {
248
  }
249
 
250
  private function is_license_revoked() {
251
- if ( empty( $this->license ) || empty( $this->plugin_slug ) || isset( $_POST['license'] ) ) {
252
  return;
253
  }
254
 
248
  }
249
 
250
  private function is_license_revoked() {
251
+ if ( empty( $this->license ) || empty( $this->plugin_slug ) || isset( $_POST['license'] ) ) { // WPCS: CSRF ok.
252
  return;
253
  }
254
 
classes/models/FrmCreateFile.php CHANGED
@@ -221,7 +221,7 @@ class FrmCreateFile {
221
 
222
  private function show_error_message() {
223
  if ( ! empty( $this->error_message ) ) {
224
- echo '<div class="message">' . $this->error_message . '</div>';
225
  }
226
  }
227
  }
221
 
222
  private function show_error_message() {
223
  if ( ! empty( $this->error_message ) ) {
224
+ echo '<div class="message">' . esc_html( $this->error_message ) . '</div>';
225
  }
226
  }
227
  }
classes/models/FrmDb.php CHANGED
@@ -405,13 +405,13 @@ class FrmDb {
405
  if ( is_array( $where ) || empty( $where ) ) {
406
  self::get_where_clause_and_values( $where );
407
  global $wpdb;
408
- $query = $wpdb->prepare( $query . $where['where'] . ' ' . implode( ' ', $args ), $where['values'] );
409
  } else {
410
  /**
411
  * Allow the $where to be prepared before we recieve it here.
412
  * This is a fallback for reverse compatibility, but is not recommended
413
  */
414
- _deprecated_argument( 'where', '2.0', __( 'Use the query in an array format so it can be properly prepared.', 'formidable' ) );
415
  $query .= $where . ' ' . implode( ' ', $args );
416
  }
417
 
@@ -543,7 +543,7 @@ class FrmDb {
543
  if ( is_array( $where ) ) {
544
  global $wpdb;
545
  self::get_where_clause_and_values( $where, $starts_with );
546
- $where = $wpdb->prepare( $where['where'], $where['values'] );
547
  } else {
548
  $where = $starts_with . $where;
549
  }
@@ -618,7 +618,7 @@ class FrmDb {
618
  $results = get_posts( $query );
619
  } elseif ( 'get_associative_results' == $type ) {
620
  global $wpdb;
621
- $results = $wpdb->get_results( $query, OBJECT_K );
622
  } else {
623
  global $wpdb;
624
  $results = $wpdb->{$type}( $query );
405
  if ( is_array( $where ) || empty( $where ) ) {
406
  self::get_where_clause_and_values( $where );
407
  global $wpdb;
408
+ $query = $wpdb->prepare( $query . $where['where'] . ' ' . implode( ' ', $args ), $where['values'] ); // WPCS: unprepared SQL ok.
409
  } else {
410
  /**
411
  * Allow the $where to be prepared before we recieve it here.
412
  * This is a fallback for reverse compatibility, but is not recommended
413
  */
414
+ _deprecated_argument( 'where', '2.0', esc_html__( 'Use the query in an array format so it can be properly prepared.', 'formidable' ) );
415
  $query .= $where . ' ' . implode( ' ', $args );
416
  }
417
 
543
  if ( is_array( $where ) ) {
544
  global $wpdb;
545
  self::get_where_clause_and_values( $where, $starts_with );
546
+ $where = $wpdb->prepare( $where['where'], $where['values'] ); // WPCS: unprepared SQL ok.
547
  } else {
548
  $where = $starts_with . $where;
549
  }
618
  $results = get_posts( $query );
619
  } elseif ( 'get_associative_results' == $type ) {
620
  global $wpdb;
621
+ $results = $wpdb->get_results( $query, OBJECT_K ); // WPCS: unprepared SQL ok.
622
  } else {
623
  global $wpdb;
624
  $results = $wpdb->{$type}( $query );
classes/models/FrmEDD_SL_Plugin_Updater.php CHANGED
@@ -297,21 +297,22 @@ class FrmEDD_SL_Plugin_Updater {
297
 
298
  global $frm_edd_plugin_data;
299
 
300
- if ( empty( $_REQUEST['edd_sl_action'] ) || 'view_plugin_changelog' !== $_REQUEST['edd_sl_action'] ) {
301
  return;
302
  }
303
 
304
- if ( empty( $_REQUEST['plugin'] ) || empty( $_REQUEST['slug'] ) ) {
305
  return;
306
  }
307
 
308
  if ( ! current_user_can( 'update_plugins' ) ) {
309
- wp_die( __( 'You do not have permission to install plugin updates', 'formidable' ), __( 'Error', 'formidable' ), array( 'response' => 403 ) );
310
  }
311
 
312
- $data = $frm_edd_plugin_data[ $_REQUEST['slug'] ];
 
313
  $beta = ! empty( $data['beta'] ) ? true : false;
314
- $cache_key = md5( 'edd_plugin_' . sanitize_key( $_REQUEST['plugin'] ) . '_' . $beta . '_version_info' );
315
  $version_info = $this->get_cached_version_info( $cache_key );
316
 
317
  if ( false === $version_info ) {
@@ -320,7 +321,7 @@ class FrmEDD_SL_Plugin_Updater {
320
  'edd_action' => 'get_version',
321
  'item_name' => isset( $data['item_name'] ) ? $data['item_name'] : false,
322
  'item_id' => isset( $data['item_id'] ) ? $data['item_id'] : false,
323
- 'slug' => sanitize_text_field( $_REQUEST['slug'] ),
324
  'author' => $data['author'],
325
  'url' => home_url(),
326
  'beta' => $beta,
@@ -354,7 +355,7 @@ class FrmEDD_SL_Plugin_Updater {
354
  }
355
 
356
  if ( ! empty( $version_info ) && isset( $version_info->sections['changelog'] ) ) {
357
- echo '<div style="background:#fff;padding:10px;">' . $version_info->sections['changelog'] . '</div>';
358
  }
359
 
360
  exit;
297
 
298
  global $frm_edd_plugin_data;
299
 
300
+ if ( empty( $_REQUEST['edd_sl_action'] ) || 'view_plugin_changelog' !== $_REQUEST['edd_sl_action'] ) { // WPCS: CSRF ok.
301
  return;
302
  }
303
 
304
+ if ( empty( $_REQUEST['plugin'] ) || empty( $_REQUEST['slug'] ) ) { // WPCS: CSRF ok.
305
  return;
306
  }
307
 
308
  if ( ! current_user_can( 'update_plugins' ) ) {
309
+ wp_die( esc_html__( 'You do not have permission to install plugin updates', 'formidable' ), esc_html__( 'Error', 'formidable' ), array( 'response' => 403 ) );
310
  }
311
 
312
+ $slug = sanitize_text_field( $_REQUEST['slug'] ); // WPCS: CSRF ok.
313
+ $data = $frm_edd_plugin_data[ $slug ];
314
  $beta = ! empty( $data['beta'] ) ? true : false;
315
+ $cache_key = md5( 'edd_plugin_' . sanitize_key( $_REQUEST['plugin'] ) . '_' . $beta . '_version_info' ); // WPCS: CSRF ok.
316
  $version_info = $this->get_cached_version_info( $cache_key );
317
 
318
  if ( false === $version_info ) {
321
  'edd_action' => 'get_version',
322
  'item_name' => isset( $data['item_name'] ) ? $data['item_name'] : false,
323
  'item_id' => isset( $data['item_id'] ) ? $data['item_id'] : false,
324
+ 'slug' => $slug,
325
  'author' => $data['author'],
326
  'url' => home_url(),
327
  'beta' => $beta,
355
  }
356
 
357
  if ( ! empty( $version_info ) && isset( $version_info->sections['changelog'] ) ) {
358
+ echo '<div style="background:#fff;padding:10px;">' . FrmAppHelper::kses( $version_info->sections['changelog'], 'all' ) . '</div>'; // WPCS: XSS ok.
359
  }
360
 
361
  exit;
classes/models/FrmEntry.php CHANGED
@@ -276,7 +276,7 @@ class FrmEntry {
276
 
277
  $query .= is_numeric( $id ) ? 'it.id=%d' : 'it.item_key=%s';
278
  $query_args = array( $id );
279
- $query = $wpdb->prepare( $query, $query_args );
280
 
281
  if ( ! $meta ) {
282
  $entry = FrmDb::check_cache( $id . '_nometa', 'frm_entry', $query, 'get_row' );
@@ -288,7 +288,7 @@ class FrmEntry {
288
  return stripslashes_deep( $entry );
289
  }
290
 
291
- $entry = $wpdb->get_row( $query );
292
  $entry = self::get_meta( $entry );
293
 
294
  return stripslashes_deep( $entry );
@@ -381,7 +381,7 @@ class FrmEntry {
381
  // prepare the query
382
  $query = 'SELECT ' . $fields . ' FROM ' . $table . FrmDb::prepend_and_or_where( ' WHERE ', $where ) . $order_by . $limit;
383
 
384
- $entries = $wpdb->get_results( $query, OBJECT_K );
385
  unset( $query );
386
 
387
  FrmDb::set_cache( $cache_key, $entries, 'frm_entry' );
276
 
277
  $query .= is_numeric( $id ) ? 'it.id=%d' : 'it.item_key=%s';
278
  $query_args = array( $id );
279
+ $query = $wpdb->prepare( $query, $query_args ); // WPCS: unprepared SQL ok.
280
 
281
  if ( ! $meta ) {
282
  $entry = FrmDb::check_cache( $id . '_nometa', 'frm_entry', $query, 'get_row' );
288
  return stripslashes_deep( $entry );
289
  }
290
 
291
+ $entry = $wpdb->get_row( $query ); // WPCS: unprepared SQL ok.
292
  $entry = self::get_meta( $entry );
293
 
294
  return stripslashes_deep( $entry );
381
  // prepare the query
382
  $query = 'SELECT ' . $fields . ' FROM ' . $table . FrmDb::prepend_and_or_where( ' WHERE ', $where ) . $order_by . $limit;
383
 
384
+ $entries = $wpdb->get_results( $query, OBJECT_K ); // WPCS: unprepared SQL ok.
385
  unset( $query );
386
 
387
  FrmDb::set_cache( $cache_key, $entries, 'frm_entry' );
classes/models/FrmEntryMeta.php CHANGED
@@ -148,8 +148,8 @@ class FrmEntryMeta {
148
  );
149
  FrmDb::get_where_clause_and_values( $where );
150
 
151
- // Delete any leftovers
152
- $wpdb->query( $wpdb->prepare( 'DELETE FROM ' . $wpdb->prefix . 'frm_item_metas ' . $where['where'], $where['values'] ) );
153
  self::clear_cache();
154
  }
155
 
@@ -413,7 +413,7 @@ class FrmEntryMeta {
413
  case 'day':
414
  $value = '%' . $value . '%';
415
  }
416
- $where .= $wpdb->prepare( ' meta_value ' . $operator . ' %s and', $value );
417
  }
418
  $where .= $wpdb->prepare( ' field_id=%d', $field_id );
419
  $query = 'SELECT DISTINCT item_id FROM ' . $wpdb->prefix . 'frm_item_metas' . FrmDb::prepend_and_or_where( ' WHERE ', $where );
@@ -421,10 +421,10 @@ class FrmEntryMeta {
421
  if ( $operator == 'LIKE' ) {
422
  $search = '%' . $search . '%';
423
  }
424
- $query = $wpdb->prepare( "SELECT DISTINCT item_id FROM {$wpdb->prefix}frm_item_metas WHERE meta_value {$operator} %s and field_id = %d", $search, $field_id );
425
  }
426
 
427
- $results = $wpdb->get_col( $query, 0 );
428
  FrmDb::set_cache( $cache_key, $results, 'frm_entry' );
429
 
430
  return $results;
148
  );
149
  FrmDb::get_where_clause_and_values( $where );
150
 
151
+ // Delete any leftovers
152
+ $wpdb->query( $wpdb->prepare( 'DELETE FROM ' . $wpdb->prefix . 'frm_item_metas ' . $where['where'], $where['values'] ) ); // WPCS: unprepared SQL ok.
153
  self::clear_cache();
154
  }
155
 
413
  case 'day':
414
  $value = '%' . $value . '%';
415
  }
416
+ $where .= $wpdb->prepare( ' meta_value ' . $operator . ' %s and', $value ); // WPCS: unprepared SQL ok.
417
  }
418
  $where .= $wpdb->prepare( ' field_id=%d', $field_id );
419
  $query = 'SELECT DISTINCT item_id FROM ' . $wpdb->prefix . 'frm_item_metas' . FrmDb::prepend_and_or_where( ' WHERE ', $where );
421
  if ( $operator == 'LIKE' ) {
422
  $search = '%' . $search . '%';
423
  }
424
+ $query = $wpdb->prepare( "SELECT DISTINCT item_id FROM {$wpdb->prefix}frm_item_metas WHERE meta_value {$operator} %s and field_id = %d", $search, $field_id ); // WPCS: unprepared SQL ok.
425
  }
426
 
427
+ $results = $wpdb->get_col( $query, 0 ); // WPCS: unprepared SQL ok.
428
  FrmDb::set_cache( $cache_key, $results, 'frm_entry' );
429
 
430
  return $results;
classes/models/FrmEntryValidate.php CHANGED
@@ -89,7 +89,7 @@ class FrmEntryValidate {
89
 
90
  if ( $posted_field->required == '1' && FrmAppHelper::is_empty_value( $value ) ) {
91
  $errors[ 'field' . $args['id'] ] = FrmFieldsHelper::get_error_msg( $posted_field, 'blank' );
92
- } else if ( $posted_field->type == 'text' && ! isset( $_POST['item_name'] ) ) {
93
  $_POST['item_name'] = $value;
94
  }
95
 
89
 
90
  if ( $posted_field->required == '1' && FrmAppHelper::is_empty_value( $value ) ) {
91
  $errors[ 'field' . $args['id'] ] = FrmFieldsHelper::get_error_msg( $posted_field, 'blank' );
92
+ } else if ( $posted_field->type == 'text' && ! isset( $_POST['item_name'] ) ) { // WPCS: CSRF ok.
93
  $_POST['item_name'] = $value;
94
  }
95
 
classes/models/FrmField.php CHANGED
@@ -373,7 +373,7 @@ class FrmField {
373
  global $wpdb;
374
 
375
  $where = is_numeric( $id ) ? 'id=%d' : 'field_key=%s';
376
- $query = $wpdb->prepare( 'SELECT * FROM ' . $wpdb->prefix . 'frm_fields WHERE ' . $where, $id );
377
 
378
  $results = FrmDb::check_cache( $id, 'frm_field', $query, 'get_row', 0 );
379
 
373
  global $wpdb;
374
 
375
  $where = is_numeric( $id ) ? 'id=%d' : 'field_key=%s';
376
+ $query = $wpdb->prepare( 'SELECT * FROM ' . $wpdb->prefix . 'frm_fields WHERE ' . $where, $id ); // WPCS: unprepared SQL ok.
377
 
378
  $results = FrmDb::check_cache( $id, 'frm_field', $query, 'get_row', 0 );
379
 
classes/models/FrmForm.php CHANGED
@@ -326,7 +326,7 @@ class FrmForm {
326
  FrmDb::get_where_clause_and_values( $where );
327
  array_unshift( $where['values'], $status );
328
 
329
- $query_results = $wpdb->query( $wpdb->prepare( 'UPDATE ' . $wpdb->prefix . 'frm_forms SET status = %s ' . $where['where'], $where['values'] ) );
330
  } else {
331
  $query_results = $wpdb->update( $wpdb->prefix . 'frm_forms', array( 'status' => $status ), array( 'id' => $id ) );
332
  $wpdb->update( $wpdb->prefix . 'frm_forms', array( 'status' => $status ), array( 'parent_form_id' => $id ) );
@@ -580,7 +580,7 @@ class FrmForm {
580
 
581
  // the query has already been prepared if this is not an array
582
  $query = 'SELECT * FROM ' . $wpdb->prefix . 'frm_forms' . FrmDb::prepend_and_or_where( ' WHERE ', $where ) . FrmDb::esc_order( $order_by ) . FrmDb::esc_limit( $limit );
583
- $results = $wpdb->get_results( $query );
584
  }
585
 
586
  if ( $results ) {
@@ -693,7 +693,7 @@ class FrmForm {
693
  return $frm_vars['form_params'][ $form->id ];
694
  }
695
 
696
- $action_var = isset( $_REQUEST['frm_action'] ) ? 'frm_action' : 'action';
697
  $action = apply_filters( 'frm_show_new_entry_page', FrmAppHelper::get_param( $action_var, 'new', 'get', 'sanitize_title' ), $form );
698
 
699
  $default_values = array(
@@ -732,7 +732,7 @@ class FrmForm {
732
  }
733
  }
734
 
735
- if ( in_array( $values['action'], array( 'create', 'update' ) ) && ( ! $_POST || ( ! isset( $_POST['action'] ) && ! isset( $_POST['frm_action'] ) ) ) ) {
736
  $values['action'] = 'new';
737
  }
738
 
326
  FrmDb::get_where_clause_and_values( $where );
327
  array_unshift( $where['values'], $status );
328
 
329
+ $query_results = $wpdb->query( $wpdb->prepare( 'UPDATE ' . $wpdb->prefix . 'frm_forms SET status = %s ' . $where['where'], $where['values'] ) ); // WPCS: unprepared SQL ok.
330
  } else {
331
  $query_results = $wpdb->update( $wpdb->prefix . 'frm_forms', array( 'status' => $status ), array( 'id' => $id ) );
332
  $wpdb->update( $wpdb->prefix . 'frm_forms', array( 'status' => $status ), array( 'parent_form_id' => $id ) );
580
 
581
  // the query has already been prepared if this is not an array
582
  $query = 'SELECT * FROM ' . $wpdb->prefix . 'frm_forms' . FrmDb::prepend_and_or_where( ' WHERE ', $where ) . FrmDb::esc_order( $order_by ) . FrmDb::esc_limit( $limit );
583
+ $results = $wpdb->get_results( $query ); // WPCS: unprepared SQL ok.
584
  }
585
 
586
  if ( $results ) {
693
  return $frm_vars['form_params'][ $form->id ];
694
  }
695
 
696
+ $action_var = isset( $_REQUEST['frm_action'] ) ? 'frm_action' : 'action'; // WPCS: CSRF ok.
697
  $action = apply_filters( 'frm_show_new_entry_page', FrmAppHelper::get_param( $action_var, 'new', 'get', 'sanitize_title' ), $form );
698
 
699
  $default_values = array(
732
  }
733
  }
734
 
735
+ if ( in_array( $values['action'], array( 'create', 'update' ) ) && ( ! $_POST || ( ! isset( $_POST['action'] ) && ! isset( $_POST['frm_action'] ) ) ) ) { // WPCS: CSRF ok.
736
  $values['action'] = 'new';
737
  }
738
 
classes/models/FrmMigrate.php CHANGED
@@ -165,7 +165,7 @@ class FrmMigrate {
165
  dbDelta( $q . $charset_collate . ';' );
166
  } else {
167
  global $wpdb;
168
- $wpdb->query( $q . $charset_collate );
169
  }
170
  unset( $q );
171
  }
@@ -219,15 +219,15 @@ class FrmMigrate {
219
  public function uninstall() {
220
  if ( ! current_user_can( 'administrator' ) ) {
221
  $frm_settings = FrmAppHelper::get_settings();
222
- wp_die( $frm_settings->admin_permission );
223
  }
224
 
225
  global $wpdb, $wp_roles;
226
 
227
- $wpdb->query( 'DROP TABLE IF EXISTS ' . $this->fields );
228
- $wpdb->query( 'DROP TABLE IF EXISTS ' . $this->forms );
229
- $wpdb->query( 'DROP TABLE IF EXISTS ' . $this->entries );
230
- $wpdb->query( 'DROP TABLE IF EXISTS ' . $this->entry_metas );
231
 
232
  delete_option( 'frm_options' );
233
  delete_option( 'frm_db_version' );
@@ -381,9 +381,9 @@ class FrmMigrate {
381
  */
382
  private function migrate_to_23() {
383
  global $wpdb;
384
- $exists = $wpdb->get_row( 'SHOW COLUMNS FROM ' . $this->forms . ' LIKE "parent_form_id"' );
385
  if ( empty( $exists ) ) {
386
- $wpdb->query( 'ALTER TABLE ' . $this->forms . ' ADD parent_form_id int(11) default 0' );
387
  }
388
  }
389
 
165
  dbDelta( $q . $charset_collate . ';' );
166
  } else {
167
  global $wpdb;
168
+ $wpdb->query( $q . $charset_collate ); // WPCS: unprepared SQL ok.
169
  }
170
  unset( $q );
171
  }
219
  public function uninstall() {
220
  if ( ! current_user_can( 'administrator' ) ) {
221
  $frm_settings = FrmAppHelper::get_settings();
222
+ wp_die( esc_html( $frm_settings->admin_permission ) );
223
  }
224
 
225
  global $wpdb, $wp_roles;
226
 
227
+ $wpdb->query( 'DROP TABLE IF EXISTS ' . $this->fields ); // WPCS: unprepared SQL ok.
228
+ $wpdb->query( 'DROP TABLE IF EXISTS ' . $this->forms ); // WPCS: unprepared SQL ok.
229
+ $wpdb->query( 'DROP TABLE IF EXISTS ' . $this->entries ); // WPCS: unprepared SQL ok.
230
+ $wpdb->query( 'DROP TABLE IF EXISTS ' . $this->entry_metas ); // WPCS: unprepared SQL ok.
231
 
232
  delete_option( 'frm_options' );
233
  delete_option( 'frm_db_version' );
381
  */
382
  private function migrate_to_23() {
383
  global $wpdb;
384
+ $exists = $wpdb->get_row( 'SHOW COLUMNS FROM ' . $this->forms . ' LIKE "parent_form_id"' ); // WPCS: unprepared SQL ok.
385
  if ( empty( $exists ) ) {
386
+ $wpdb->query( 'ALTER TABLE ' . $this->forms . ' ADD parent_form_id int(11) default 0' ); // WPCS: unprepared SQL ok.
387
  }
388
  }
389
 
classes/models/FrmNotification.php CHANGED
@@ -63,7 +63,7 @@ class FrmNotification {
63
  $sent_to = array_filter( $sent_to );
64
 
65
  $temp = str_replace( '<', '&lt;', $sent_to );
66
- echo ' ' . FrmAppHelper::kses( implode( ', ', (array) $temp ) );
67
  }
68
  }
69
 
63
  $sent_to = array_filter( $sent_to );
64
 
65
  $temp = str_replace( '<', '&lt;', $sent_to );
66
+ echo ' ' . FrmAppHelper::kses( implode( ', ', (array) $temp ) ); // WPCS: XSS ok.
67
  }
68
  }
69
 
classes/models/FrmPointers.php CHANGED
@@ -10,44 +10,14 @@ class FrmPointers {
10
  */
11
  public static $instance;
12
 
13
- /**
14
- * @var array Holds the buttons to be put out
15
- */
16
- private $button_array;
17
-
18
- /**
19
- * @var array Holds the admin pages we have pointers for and the callback that generates the pointers content
20
- */
21
- private $admin_pages = array(
22
- '' => 'forms_pointer',
23
- 'entries' => 'entries_pointer',
24
- 'styles' => 'styles_pointer',
25
- 'import' => 'import_pointer',
26
- 'settings' => 'settings_pointer',
27
- 'addons' => 'addons_pointer',
28
- );
29
-
30
- /**
31
- * Class constructor.
32
- */
33
- private function __construct() {
34
- if ( current_user_can( 'manage_options' ) ) {
35
-
36
- if ( ! get_user_meta( get_current_user_id(), 'frm_ignore_tour' ) ) {
37
- wp_enqueue_style( 'wp-pointer' );
38
- wp_enqueue_script( 'jquery-ui' );
39
- wp_enqueue_script( 'wp-pointer' );
40
- add_action( 'admin_print_footer_scripts', array( $this, 'intro_tour' ) );
41
- }
42
- }
43
- }
44
-
45
  /**
46
  * Get the singleton instance of this class
47
  *
48
  * @return object
49
  */
50
  public static function get_instance() {
 
 
51
  if ( ! ( self::$instance instanceof self ) ) {
52
  self::$instance = new self();
53
  }
@@ -59,15 +29,7 @@ class FrmPointers {
59
  * Load the introduction tour
60
  */
61
  public function intro_tour() {
62
- global $pagenow;
63
-
64
- $page = preg_replace( '/^(formidable[-]?)/', '', filter_input( INPUT_GET, 'page' ) );
65
-
66
- if ( 'admin.php' === $pagenow && array_key_exists( $page, $this->admin_pages ) ) {
67
- $this->do_page_pointer( $page );
68
- } else {
69
- $this->start_tour_pointer();
70
- }
71
  }
72
 
73
  /**
@@ -77,289 +39,6 @@ class FrmPointers {
77
  * @param array $options The options for the pointer.
78
  */
79
  public function print_scripts( $selector, $options ) {
80
- // Button1 is the close button, which always exists.
81
- $default_button = array(
82
- 'text' => false,
83
- 'function' => '',
84
- );
85
- $button_array_defaults = array(
86
- 'button2' => $default_button,
87
- 'button3' => $default_button,
88
- );
89
- $this->button_array = wp_parse_args( $this->button_array, $button_array_defaults );
90
- ?>
91
- <script type="text/javascript">
92
- //<![CDATA[
93
- (function ($) {
94
- // Don't show the tour on screens with an effective width smaller than 1024px or an effective height smaller than 768px.
95
- if (jQuery(window).width() < 1024 || jQuery(window).availWidth < 1024) {
96
- return;
97
- }
98
-
99
- var frm_pointer_options = <?php echo json_encode( $options ); ?>, setup;
100
-
101
- frm_pointer_options = $.extend(frm_pointer_options, {
102
- buttons: function (event, t) {
103
- var button = jQuery('<a href="<?php echo esc_url( $this->get_ignore_url() ); ?>" id="pointer-close" style="margin:0 5px;" class="button-secondary">' + '<?php esc_html_e( 'Close', 'formidable' ) ?>' + '</a>');
104
- button.bind('click.pointer', function () {
105
- t.element.pointer('close');
106
- });
107
- return button;
108
- },
109
- close: function () {
110
- }
111
- });
112
-
113
- setup = function () {
114
- $('<?php echo esc_attr( $selector ); ?>').pointer(frm_pointer_options).pointer('open');
115
- var lastOpenedPointer = jQuery( '.wp-pointer').slice( -1 );
116
- <?php
117
- $this->button2();
118
- $this->button3();
119
- ?>
120
- };
121
-
122
- if (frm_pointer_options.position && frm_pointer_options.position.defer_loading)
123
- $(window).bind('load.wp-pointers', setup);
124
- else
125
- $(document).ready(setup);
126
- })(jQuery);
127
- //]]>
128
- </script>
129
- <?php
130
- }
131
-
132
- /**
133
- * Render button 2, if needed
134
- */
135
- private function button2() {
136
- if ( $this->button_array['button2']['text'] ) {
137
- ?>
138
- lastOpenedPointer.find( '#pointer-close' ).after('<a id="pointer-primary" class="button-primary">' +
139
- '<?php echo esc_attr( $this->button_array['button2']['text'] ); ?>' + '</a>');
140
- lastOpenedPointer.find('#pointer-primary').click(function () {
141
- <?php echo $this->button_array['button2']['function']; ?>
142
- });
143
- <?php
144
- }
145
- }
146
-
147
- /**
148
- * Render button 3, if needed. This is the previous button in most cases
149
- */
150
- private function button3() {
151
- if ( $this->button_array['button3']['text'] ) {
152
- ?>
153
- lastOpenedPointer.find('#pointer-primary').after('<a id="pointer-ternary" style="float: left;" class="button-secondary">' +
154
- '<?php echo esc_attr( $this->button_array['button3']['text'] ); ?>' + '</a>');
155
- lastOpenedPointer.find('#pointer-ternary').click(function () {
156
- <?php echo $this->button_array['button3']['function']; ?>
157
- });
158
- <?php
159
- }
160
- }
161
-
162
- /**
163
- * Show a pointer that starts the tour
164
- */
165
- private function start_tour_pointer() {
166
- $selector = 'li.toplevel_page_formidable';
167
-
168
- $content = '<h3>' . __( 'Congratulations!', 'formidable' ) . '</h3>'
169
- . '<p>' . $this->opening_line() . ' ' . __( 'Click &#8220;Start Tour&#8221; to view a quick introduction of this plugin&#8217;s core functionality.', 'formidable' ) . '</p>';
170
- $opt_arr = array(
171
- 'content' => $content,
172
- 'position' => array(
173
- 'edge' => 'top',
174
- 'align' => 'center',
175
- ),
176
- );
177
-
178
- $this->button_array['button2']['text'] = __( 'Start Tour', 'formidable' );
179
- $this->button_array['button2']['function'] = sprintf( 'document.location="%s";', admin_url( 'admin.php?page=formidable' ) );
180
-
181
- $this->print_scripts( $selector, $opt_arr );
182
- }
183
-
184
- private function opening_line() {
185
- $opening = __( 'You&#8217;ve just installed a new form builder plugin!', 'formidable' );
186
- return $opening;
187
- }
188
-
189
- /**
190
- * Shows a pointer on the proper pages
191
- *
192
- * @param string $page Admin page key.
193
- */
194
- private function do_page_pointer( $page ) {
195
- $pointer = call_user_func( array( $this, $this->admin_pages[ $page ] ) );
196
-
197
- $opt_arr = array(
198
- 'content' => $pointer['content'],
199
- 'position' => array(
200
- 'edge' => 'top',
201
- 'align' => ( is_rtl() ) ? 'right' : 'left',
202
- ),
203
- 'pointerWidth' => 450,
204
- );
205
-
206
- $selector = 'h2';
207
- if ( isset( $pointer['selector'] ) ) {
208
- $selector = $pointer['selector'];
209
- }
210
-
211
- if ( isset( $pointer['position'] ) ) {
212
- $opt_arr['position'] = $pointer['position'];
213
- }
214
-
215
- if ( isset( $pointer['next_page'] ) ) {
216
- if ( ! empty( $pointer['next_page'] ) ) {
217
- $pointer['next_page'] = '-' . $pointer['next_page'];
218
- }
219
- $this->button_array['button2'] = array(
220
- 'text' => __( 'Next', 'formidable' ),
221
- 'function' => 'window.location="' . esc_url_raw( admin_url( 'admin.php?page=formidable' . $pointer['next_page'] ) ) . '";',
222
- );
223
- }
224
- if ( isset( $pointer['prev_page'] ) ) {
225
- if ( ! empty( $pointer['prev_page'] ) ) {
226
- $pointer['prev_page'] = '-' . $pointer['prev_page'];
227
- }
228
- $this->button_array['button3'] = array(
229
- 'text' => __( 'Previous', 'formidable' ),
230
- 'function' => 'window.location="' . esc_url_raw( admin_url( 'admin.php?page=formidable' . $pointer['prev_page'] ) ) . '";',
231
- );
232
- }
233
- $this->print_scripts( $selector, $opt_arr );
234
- }
235
-
236
- /**
237
- * Returns the content of the Forms listing page pointer
238
- *
239
- * @return array
240
- */
241
- private function forms_pointer() {
242
- global $current_user;
243
-
244
- return array(
245
- 'content' => '<h3>' . __( 'Forms', 'formidable' ) . '</h3>'
246
- . '<p>' . __( 'All your forms will be listed on this page. Create your first form by clicking on the "Add New" button.', 'formidable' ) . '</p>'
247
- . '<p><strong>' . __( 'Subscribe to our Newsletter', 'formidable' ) . '</strong><br/>'
248
- . sprintf( __( 'If you would like to hear about new features and updates for %1$s, subscribe to our newsletter:', 'formidable' ), 'Formidable' ) . '</p>'
249
- . '<form target="_blank" action="//formidablepro.us1.list-manage.com/subscribe/post?u=a4a913790ffb892daacc6f271&amp;id=7e7df15967" method="post" selector="newsletter-form" accept-charset="' . esc_attr( get_bloginfo( 'charset' ) ) . '">'
250
- . '<p>'
251
- . '<input style="margin: 5px; color:#666" name="EMAIL" value="' . esc_attr( $current_user->user_email ) . '" selector="newsletter-email" placeholder="' . esc_attr__( 'Email', 'formidable' ) . '"/>'
252
- . '<input type="hidden" name="group[4505]" value="4" />'
253
- . '<button type="submit" class="button-primary">' . esc_html__( 'Subscribe', 'formidable' ) . '</button>'
254
- . '</p>'
255
- . '</form>',
256
- 'next_page' => 'entries',
257
- );
258
- }
259
-
260
- /**
261
- * Returns the content of the Entries listing page pointer
262
- *
263
- * @return array
264
- */
265
- private function entries_pointer() {
266
- return array(
267
- 'content' => '<h3>' . __( 'Entries', 'formidable' ) . '</h3>'
268
- . '<p>' . __( 'Each time one of your forms is submitted, an entry is created. You will find every form submission listed here so you will always have a backup if an email fails.', 'formidable' ) . '</p>',
269
- 'prev_page' => '',
270
- 'next_page' => 'styles',
271
- 'selector' => '.wp-list-table',
272
- 'position' => array(
273
- 'edge' => 'bottom',
274
- 'align' => 'center',
275
- ),
276
- );
277
- }
278
-
279
- /**
280
- * Returns the content of the Styles page pointer
281
- *
282
- * @return array
283
- */
284
- private function styles_pointer() {
285
- return array(
286
- 'content' => '<h3>' . __( 'Styles', 'formidable' ) . '</h3>'
287
- . '<p>' . __( 'Want to make changes to the way your forms look? Make all the changes you would like right here, and watch the sample form change before your eyes.', 'formidable' ) . '</p>',
288
- 'prev_page' => 'entries',
289
- 'next_page' => 'import',
290
- 'selector' => '.general-style',
291
- 'position' => array(
292
- 'edge' => 'left',
293
- 'align' => 'right',
294
- ),
295
- );
296
- }
297
-
298
- /**
299
- * Returns the content of the Import/Export page pointer
300
- *
301
- * @return array
302
- */
303
- private function import_pointer() {
304
- return array(
305
- 'content' => '<h3>' . __( 'Import/Export', 'formidable' ) . '</h3>'
306
- . '<p>' . __( 'Import and export forms and styles when copying from one site to another or sharing with someone else. Your entries can be exported to a CSV as well. The Premium version also includes the option to import entries to your site from a CSV.', 'formidable' ) . '</p>',
307
- 'prev_page' => 'styles',
308
- 'next_page' => 'settings',
309
- 'selector' => '.inside.with_frm_style',
310
- 'position' => array(
311
- 'edge' => 'bottom',
312
- 'align' => 'top',
313
- ),
314
- );
315
- }
316
-
317
- /**
318
- * Returns the content of the advanced page pointer
319
- *
320
- * @return array
321
- */
322
- private function settings_pointer() {
323
- return array(
324
- 'content' => '<h3>' . __( 'Global Settings', 'formidable' ) . '</h3>'
325
- . '<p><strong>' . __( 'General', 'formidable' ) . '</strong><br/>'
326
- . __( 'Turn stylesheets and scripts off, set which user roles have access to change and create forms, setup your reCaptcha, and set default messages for new forms and fields.', 'formidable' )
327
- . '<p><strong>' . __( 'Plugin Licenses', 'formidable' ) . '</strong><br/>'
328
- . sprintf( __( 'Once you&#8217;ve purchased %1$s or any addons, you&#8217;ll have to enter a license key to get access to all of their powerful features. A Plugin Licenses tab will appear here for you to enter your license key.', 'formidable' ), 'Formidable Pro' )
329
- . '</p>',
330
- 'prev_page' => 'import',
331
- 'next_page' => 'addons',
332
- );
333
- }
334
-
335
- /**
336
- * Returns the content of the extensions and licenses page pointer
337
- *
338
- * @return array
339
- */
340
- private function addons_pointer() {
341
- return array(
342
- 'content' => '<h3>' . __( 'Addons', 'formidable' ) . '</h3>'
343
- . '<p>' . sprintf( __( 'The powerful functions of %1$s can be extended with %2$spremium plugins%3$s. You can read all about the Formidable Premium Plugins %2$shere%3$s.', 'formidable' ), 'Formidable', '<a target="_blank" href="' . esc_url( FrmAppHelper::make_affiliate_url( 'https://formidableforms.com/' ) ) . '">', '</a>' )
344
- . '</p>'
345
- . '<p><strong>' . __( 'Like this plugin?', 'formidable' ) . '</strong><br/>' . sprintf( __( 'So, we&#8217;ve come to the end of the tour. If you like the plugin, please %1$srate it 5 stars on WordPress.org%2$s!', 'formidable' ), '<a target="_blank" href="https://wordpress.org/plugins/formidable/">', '</a>' ) . '</p>'
346
- . '<p>' . sprintf( __( 'Thank you for using our plugin and good luck with your forms!<br/><br/>Best,<br/>Team Formidable - %1$sformidableforms.com%2$s', 'formidable' ), '<a target="_blank" href="' . esc_url( FrmAppHelper::make_affiliate_url( 'https://formidableforms.com/' ) ) . '">', '</a>' ) . '</p>',
347
- 'prev_page' => 'settings',
348
- );
349
- }
350
-
351
- /**
352
- * Extending the current page URL with two params to be able to ignore the tour.
353
- *
354
- * @return mixed
355
- */
356
- private function get_ignore_url() {
357
- $arr_params = array(
358
- 'frm_restart_tour' => false,
359
- 'frm_ignore_tour' => '1',
360
- 'nonce' => wp_create_nonce( 'frm-ignore-tour' ),
361
- );
362
-
363
- return add_query_arg( $arr_params );
364
  }
365
  }
10
  */
11
  public static $instance;
12
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
13
  /**
14
  * Get the singleton instance of this class
15
  *
16
  * @return object
17
  */
18
  public static function get_instance() {
19
+ _deprecated_function( __FUNCTION__, '3.01.03' );
20
+
21
  if ( ! ( self::$instance instanceof self ) ) {
22
  self::$instance = new self();
23
  }
29
  * Load the introduction tour
30
  */
31
  public function intro_tour() {
32
+ _deprecated_function( __FUNCTION__, '3.01.03' );
 
 
 
 
 
 
 
 
33
  }
34
 
35
  /**
39
  * @param array $options The options for the pointer.
40
  */
41
  public function print_scripts( $selector, $options ) {
42
+ _deprecated_function( __FUNCTION__, '3.01.03' );
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
43
  }
44
  }
classes/models/fields/FrmFieldCaptcha.php CHANGED
@@ -168,7 +168,7 @@ class FrmFieldCaptcha extends FrmFieldType {
168
  }
169
 
170
  protected function should_validate() {
171
- $is_hidden_field = apply_filters( 'frm_is_field_hidden', false, $this->field, stripslashes_deep( $_POST ) );
172
  if ( FrmAppHelper::is_admin() || $is_hidden_field ) {
173
  return false;
174
  }
@@ -186,7 +186,7 @@ class FrmFieldCaptcha extends FrmFieldType {
186
  $arg_array = array(
187
  'body' => array(
188
  'secret' => $frm_settings->privkey,
189
- 'response' => $_POST['g-recaptcha-response'],
190
  'remoteip' => FrmAppHelper::get_ip_address(),
191
  ),
192
  );
168
  }
169
 
170
  protected function should_validate() {
171
+ $is_hidden_field = apply_filters( 'frm_is_field_hidden', false, $this->field, stripslashes_deep( $_POST ) ); // WPCS: CSRF ok.
172
  if ( FrmAppHelper::is_admin() || $is_hidden_field ) {
173
  return false;
174
  }
186
  $arg_array = array(
187
  'body' => array(
188
  'secret' => $frm_settings->privkey,
189
+ 'response' => $_POST['g-recaptcha-response'], // WPCS: CSRF ok.
190
  'remoteip' => FrmAppHelper::get_ip_address(),
191
  ),
192
  );
classes/models/fields/FrmFieldDefault.php CHANGED
@@ -31,9 +31,9 @@ class FrmFieldDefault extends FrmFieldType {
31
  ob_end_clean();
32
 
33
  if ( empty( $input_html ) ) {
34
- echo $this->builder_text_field( $name );
35
  } else {
36
- echo $input_html;
37
  }
38
  }
39
 
31
  ob_end_clean();
32
 
33
  if ( empty( $input_html ) ) {
34
+ echo $this->builder_text_field( $name ); // WPCS: XSS ok.
35
  } else {
36
+ echo $input_html; // WPCS: XSS ok.
37
  }
38
  }
39
 
classes/models/fields/FrmFieldNumber.php CHANGED
@@ -36,6 +36,13 @@ class FrmFieldNumber extends FrmFieldType {
36
  );
37
  }
38
 
 
 
 
 
 
 
 
39
  public function validate( $args ) {
40
  $errors = array();
41
 
36
  );
37
  }
38
 
39
+ /**
40
+ * @since 3.01.03
41
+ */
42
+ protected function add_extra_html_atts( $args, &$input_html ) {
43
+ $this->add_min_max( $args, $input_html );
44
+ }
45
+
46
  public function validate( $args ) {
47
  $errors = array();
48
 
classes/models/fields/FrmFieldTextarea.php CHANGED
@@ -34,11 +34,12 @@ class FrmFieldTextarea extends FrmFieldType {
34
  $max = FrmField::get_option( $this->field, 'max' );
35
  $default_value = FrmAppHelper::esc_textarea( force_balance_tags( $this->get_field_column( 'default_value' ) ) );
36
 
37
- echo '<textarea name="' . esc_attr( $this->html_name( $name ) ) . '" ' .
38
- $size_html . ' rows="' . esc_attr( $max ) . '" ' .
 
39
  'id="' . esc_attr( $this->html_id() ) . '" class="dyn_default_value">' .
40
- $default_value .
41
- '</textarea>';
42
  }
43
 
44
  protected function prepare_display_value( $value, $atts ) {
34
  $max = FrmField::get_option( $this->field, 'max' );
35
  $default_value = FrmAppHelper::esc_textarea( force_balance_tags( $this->get_field_column( 'default_value' ) ) );
36
 
37
+ echo '<textarea name="' . esc_attr( $this->html_name( $name ) ) . '" ' . // WPCS: XSS ok.
38
+ $size_html // WPCS: XSS ok.
39
+ . ' rows="' . esc_attr( $max ) . '" ' .
40
  'id="' . esc_attr( $this->html_id() ) . '" class="dyn_default_value">' .
41
+ $default_value // WPCS: XSS ok.
42
+ . '</textarea>';
43
  }
44
 
45
  protected function prepare_display_value( $value, $atts ) {
classes/models/fields/FrmFieldType.php CHANGED
@@ -177,7 +177,7 @@ DEFAULT_HTML;
177
  if ( ! empty( $include_file ) ) {
178
  $this->include_on_form_builder( $name, $field );
179
  } elseif ( $this->has_input ) {
180
- echo $this->builder_text_field( $name );
181
  }
182
  }
183
 
@@ -402,7 +402,7 @@ DEFAULT_HTML;
402
  */
403
  public function show_field( $args ) {
404
  if ( apply_filters( 'frm_show_normal_field_type', $this->normal_field, $this->type ) ) {
405
- echo $this->prepare_field_html( $args );
406
  } else {
407
  do_action( 'frm_show_other_field_type', $this->field, $args['form'], array( 'action' => $args['form_action'] ) );
408
  }
@@ -523,6 +523,7 @@ DEFAULT_HTML;
523
  $field_type = $this->html5_input_type();
524
  $input_html = $this->get_field_input_html_hook( $this->field );
525
  $this->add_aria_description( $args, $input_html );
 
526
 
527
  return '<input type="' . esc_attr( $field_type ) . '" id="' . esc_attr( $args['html_id'] ) . '" name="' . esc_attr( $args['field_name'] ) . '" value="' . esc_attr( $this->field['value'] ) . '" ' . $input_html . '/>';
528
  }
@@ -532,6 +533,43 @@ DEFAULT_HTML;
532
  return $frm_settings->use_html ? $this->type : 'text';
533
  }
534
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
535
  protected function maybe_include_hidden_values( $args ) {
536
  $hidden = '';
537
  $is_read_only = FrmField::is_read_only( $this->field ) && ! FrmAppHelper::is_admin();
177
  if ( ! empty( $include_file ) ) {
178
  $this->include_on_form_builder( $name, $field );
179
  } elseif ( $this->has_input ) {
180
+ echo $this->builder_text_field( $name ); // WPCS: XSS ok.
181
  }
182
  }
183
 
402
  */
403
  public function show_field( $args ) {
404
  if ( apply_filters( 'frm_show_normal_field_type', $this->normal_field, $this->type ) ) {
405
+ echo $this->prepare_field_html( $args ); // WPCS: XSS ok.
406
  } else {
407
  do_action( 'frm_show_other_field_type', $this->field, $args['form'], array( 'action' => $args['form_action'] ) );
408
  }
523
  $field_type = $this->html5_input_type();
524
  $input_html = $this->get_field_input_html_hook( $this->field );
525
  $this->add_aria_description( $args, $input_html );
526
+ $this->add_extra_html_atts( $args, $input_html );
527
 
528
  return '<input type="' . esc_attr( $field_type ) . '" id="' . esc_attr( $args['html_id'] ) . '" name="' . esc_attr( $args['field_name'] ) . '" value="' . esc_attr( $this->field['value'] ) . '" ' . $input_html . '/>';
529
  }
533
  return $frm_settings->use_html ? $this->type : 'text';
534
  }
535
 
536
+ /**
537
+ * Add paramters to an input value as an alterntative to
538
+ * using the frm_field_input_html hook
539
+ *
540
+ * @since 3.01.03
541
+ */
542
+ protected function add_extra_html_atts( $args, &$input_html ) {
543
+ // override from other fields
544
+ }
545
+
546
+ /**
547
+ * @since 3.01.03
548
+ */
549
+ protected function add_min_max( $args, &$input_html ) {
550
+ $frm_settings = FrmAppHelper::get_settings();
551
+ if ( ! $frm_settings->use_html ) {
552
+ return;
553
+ }
554
+
555
+ $min = FrmField::get_option( $this->field, 'minnum' );
556
+ if ( ! is_numeric( $min ) ) {
557
+ $min = 0;
558
+ }
559
+
560
+ $max = FrmField::get_option( $this->field, 'maxnum' );
561
+ if ( ! is_numeric( $max ) ) {
562
+ $max = 9999999;
563
+ }
564
+
565
+ $step = FrmField::get_option( $this->field, 'step' );
566
+ if ( ! is_numeric( $step ) && $step !== 'any' ) {
567
+ $step = 1;
568
+ }
569
+
570
+ $input_html .= ' min="' . esc_attr( $min ) . '" max="' . esc_attr( $max ) . '" step="' . esc_attr( $step ) . '"';
571
+ }
572
+
573
  protected function maybe_include_hidden_values( $args ) {
574
  $hidden = '';
575
  $is_read_only = FrmField::is_read_only( $this->field ) && ! FrmAppHelper::is_admin();
classes/models/fields/FrmFieldUserID.php CHANGED
@@ -41,7 +41,7 @@ class FrmFieldUserID extends FrmFieldType {
41
 
42
  $user_ID = get_current_user_id();
43
  $user_ID = ( $user_ID ? $user_ID : '' );
44
- $posted_value = ( FrmAppHelper::is_admin() && $_POST && isset( $_POST['item_meta'][ $this->field['id'] ] ) );
45
  $updating = ( isset( $args['action'] ) && $args['action'] == 'update' );
46
  $value = ( is_numeric( $this->field['value'] ) || $posted_value || $updating ) ? $this->field['value'] : $user_ID;
47
 
41
 
42
  $user_ID = get_current_user_id();
43
  $user_ID = ( $user_ID ? $user_ID : '' );
44
+ $posted_value = ( FrmAppHelper::is_admin() && $_POST && isset( $_POST['item_meta'][ $this->field['id'] ] ) ); // WPCS: CSRF ok.
45
  $updating = ( isset( $args['action'] ) && $args['action'] == 'update' );
46
  $value = ( is_numeric( $this->field['value'] ) || $posted_value || $updating ) ? $this->field['value'] : $user_ID;
47
 
classes/views/frm-entries/_sidebar-shared-pub.php CHANGED
@@ -7,7 +7,7 @@ if ( ! isset( $entry ) ) {
7
  <span id="timestamp">
8
  <?php
9
  $date_format = __( 'M j, Y @ G:i' );
10
- printf( esc_html__( 'Published on: %1$s' ), '<b>' . FrmAppHelper::get_localized_date( $date_format, $entry->created_at ) . '</b>' );
11
  ?>
12
  </span>
13
  </div>
7
  <span id="timestamp">
8
  <?php
9
  $date_format = __( 'M j, Y @ G:i' );
10
+ printf( esc_html__( 'Published on: %1$s' ), '<b>' . esc_html( FrmAppHelper::get_localized_date( $date_format, $entry->created_at ) ) . '</b>' );
11
  ?>
12
  </span>
13
  </div>
classes/views/frm-entries/direct.php CHANGED
@@ -7,7 +7,7 @@
7
  <?php wp_head(); ?>
8
  </head>
9
  <body class="frm_preview_page">
10
- <?php echo FrmFormsController::show_form( $form->id, '', true, true ); ?>
11
  <?php wp_footer(); ?>
12
  </body>
13
  </html>
7
  <?php wp_head(); ?>
8
  </head>
9
  <body class="frm_preview_page">
10
+ <?php echo FrmFormsController::show_form( $form->id, '', true, true ); // WPCS: XSS ok. ?>
11
  <?php wp_footer(); ?>
12
  </body>
13
  </html>
classes/views/frm-entries/errors.php CHANGED
@@ -12,7 +12,7 @@ if ( isset( $message ) && $message != '' ) {
12
  FrmFormsHelper::maybe_get_scroll_js( $form->id );
13
 
14
  // we need to allow scripts here for javascript in the success message
15
- echo $message;
16
  }
17
  }
18
 
12
  FrmFormsHelper::maybe_get_scroll_js( $form->id );
13
 
14
  // we need to allow scripts here for javascript in the success message
15
+ echo $message; // WPCS: XSS ok.
16
  }
17
  }
18
 
classes/views/frm-entries/form.php CHANGED
@@ -1,6 +1,6 @@
1
  <?php
2
  if ( empty( $values ) || ! isset( $values['fields'] ) || empty( $values['fields'] ) ) { ?>
3
- <div class="frm_forms <?php echo FrmFormsHelper::get_form_style_class( $form ); ?>" id="frm_form_<?php echo esc_attr( $form->id ); ?>_container">
4
  <div class="frm_error_style"><strong><?php esc_html_e( 'Oops!', 'formidable' ) ?></strong> <?php printf( esc_html__( 'You did not add any fields to your form. %1$sGo back%2$s and add some.', 'formidable' ), '<a href="' . esc_url( admin_url( '?page=formidable&frm_action=edit&id=' . $form->id ) ) . '">', '</a>' ) ?>
5
  </div>
6
  </div>
@@ -17,8 +17,8 @@ $frm_hide_fields = FrmAppHelper::get_post_param( 'frm_hide_fields_' . $form->id,
17
  ?>
18
  <div class="frm_form_fields <?php echo esc_attr( apply_filters( 'frm_form_fields_class', '', $values ) ); ?>">
19
  <fieldset>
20
- <?php echo FrmFormsHelper::replace_shortcodes( $values['before_html'], $form, $title, $description ); ?>
21
- <div <?php echo wp_strip_all_tags( apply_filters( 'frm_fields_container_class', 'class="frm_fields_container"' ) ); ?>>
22
  <?php do_action( 'frm_after_title', compact( 'form' ) ); ?>
23
  <input type="hidden" name="frm_action" value="<?php echo esc_attr( $form_action ); ?>" />
24
  <input type="hidden" name="form_id" value="<?php echo esc_attr( $form->id ); ?>" />
@@ -63,7 +63,7 @@ if ( isset( $frm_vars['collapse_div'] ) && $frm_vars['collapse_div'] ) {
63
  unset( $frm_vars['collapse_div'] );
64
  }
65
 
66
- echo FrmFormsHelper::replace_shortcodes( $values['after_html'], $form );
67
 
68
  if ( FrmForm::show_submit( $form ) ) {
69
 
1
  <?php
2
  if ( empty( $values ) || ! isset( $values['fields'] ) || empty( $values['fields'] ) ) { ?>
3
+ <div class="frm_forms <?php echo esc_attr( FrmFormsHelper::get_form_style_class( $form ) ); ?>" id="frm_form_<?php echo esc_attr( $form->id ); ?>_container">
4
  <div class="frm_error_style"><strong><?php esc_html_e( 'Oops!', 'formidable' ) ?></strong> <?php printf( esc_html__( 'You did not add any fields to your form. %1$sGo back%2$s and add some.', 'formidable' ), '<a href="' . esc_url( admin_url( '?page=formidable&frm_action=edit&id=' . $form->id ) ) . '">', '</a>' ) ?>
5
  </div>
6
  </div>
17
  ?>
18
  <div class="frm_form_fields <?php echo esc_attr( apply_filters( 'frm_form_fields_class', '', $values ) ); ?>">
19
  <fieldset>
20
+ <?php echo FrmFormsHelper::replace_shortcodes( $values['before_html'], $form, $title, $description ); // WPCS: XSS ok. ?>
21
+ <div <?php echo wp_strip_all_tags( apply_filters( 'frm_fields_container_class', 'class="frm_fields_container"' ) ); // WPCS: XSS ok. ?>>
22
  <?php do_action( 'frm_after_title', compact( 'form' ) ); ?>
23
  <input type="hidden" name="frm_action" value="<?php echo esc_attr( $form_action ); ?>" />
24
  <input type="hidden" name="form_id" value="<?php echo esc_attr( $form->id ); ?>" />
63
  unset( $frm_vars['collapse_div'] );
64
  }
65
 
66
+ echo FrmFormsHelper::replace_shortcodes( $values['after_html'], $form ); // WPCS: XSS ok.
67
 
68
  if ( FrmForm::show_submit( $form ) ) {
69
 
classes/views/frm-entries/new.php CHANGED
@@ -1,6 +1,6 @@
1
- <div class="frm_forms <?php echo esc_attr( FrmFormsHelper::get_form_style_class( $values ) ); ?>" id="frm_form_<?php echo esc_attr( $form->id ) ?>_container" <?php echo wp_strip_all_tags( apply_filters( 'frm_form_div_attributes', '', $form ) ); ?>>
2
  <?php if ( ! isset( $include_form_tag ) || $include_form_tag ) { ?>
3
- <form enctype="<?php echo esc_attr( apply_filters( 'frm_form_enctype', 'multipart/form-data', $form ) ) ?>" method="post" class="frm-show-form <?php do_action( 'frm_form_classes', $form ) ?>" id="form_<?php echo esc_attr( $form->form_key ) ?>" <?php echo $frm_settings->use_html ? '' : 'action=""'; ?> <?php echo wp_strip_all_tags( apply_filters( 'frm_form_attributes', '', $form ) ); ?>>
4
  <?php } else { ?>
5
  <div id="form_<?php echo esc_attr( $form->form_key ) ?>" class="frm-show-form <?php do_action( 'frm_form_classes', $form ) ?>" >
6
  <?php
1
+ <div class="frm_forms <?php echo esc_attr( FrmFormsHelper::get_form_style_class( $values ) ); ?>" id="frm_form_<?php echo esc_attr( $form->id ) ?>_container" <?php echo wp_strip_all_tags( apply_filters( 'frm_form_div_attributes', '', $form ) ); // WPCS: XSS ok. ?>>
2
  <?php if ( ! isset( $include_form_tag ) || $include_form_tag ) { ?>
3
+ <form enctype="<?php echo esc_attr( apply_filters( 'frm_form_enctype', 'multipart/form-data', $form ) ) ?>" method="post" class="frm-show-form <?php do_action( 'frm_form_classes', $form ) ?>" id="form_<?php echo esc_attr( $form->form_key ) ?>" <?php echo $frm_settings->use_html ? '' : 'action=""'; ?> <?php echo wp_strip_all_tags( apply_filters( 'frm_form_attributes', '', $form ) ); // WPCS: XSS ok. ?>>
4
  <?php } else { ?>
5
  <div id="form_<?php echo esc_attr( $form->form_key ) ?>" class="frm-show-form <?php do_action( 'frm_form_classes', $form ) ?>" >
6
  <?php
classes/views/frm-entries/no_entries.php CHANGED
@@ -1,12 +1,12 @@
1
  <div class="frmcenter frm_no_entries_form">
2
  <?php if ( $form && isset( $form->options['no_save'] ) && $form->options['no_save'] ) { ?>
3
  <h3><?php esc_html_e( 'This form is not set to save any entries.', 'formidable' ) ?></h3>
4
- <p><?php printf( __( 'If you would like to save entries in this form, go to the %1$sform Settings%2$s page %3$s and uncheck the "Do not store any entries submitted from this form" box.', 'formidable' ), '<a href="' . esc_url( admin_url( 'admin.php?page=formidable&frm_action=settings&id=' . $form->id ) ) . '">', '</a>', '</br>' ) ?></p>
5
  <?php } elseif ( $form ) { ?>
6
- <div class="frm_no_entries_header"><?php printf( __( 'No Entries for form: %s', 'formidable' ), $form->name ); ?></div>
7
- <p class="frm_no_entries_text"><?php printf( __( 'See the %1$sform documentation%2$s for instructions on publishing your form', 'formidable' ), '<a href="https://formidableforms.com/knowledgebase/publish-your-forms/" target="_blank">', '</a>' ); ?></p>
8
  <?php } else { ?>
9
  <div class="frm_no_entries_header"><?php esc_html_e( 'You have not created any forms yet.', 'formidable' ); ?></div>
10
- <p class="frm_no_entries_text"><?php printf( __( 'To view entries, you must first %1$sbuild a form%2$s', 'formidable' ), '<a href="' . esc_url( admin_url( 'admin.php?page=formidable&frm_action=new' ) ) . '">', '</a>' ); ?></p>
11
  <?php } ?>
12
  </div>
1
  <div class="frmcenter frm_no_entries_form">
2
  <?php if ( $form && isset( $form->options['no_save'] ) && $form->options['no_save'] ) { ?>
3
  <h3><?php esc_html_e( 'This form is not set to save any entries.', 'formidable' ) ?></h3>
4
+ <p><?php printf( esc_html__( 'If you would like to save entries in this form, go to the %1$sform Settings%2$s page %3$s and uncheck the "Do not store any entries submitted from this form" box.', 'formidable' ), '<a href="' . esc_url( admin_url( 'admin.php?page=formidable&frm_action=settings&id=' . $form->id ) ) . '">', '</a>', '</br>' ) ?></p>
5
  <?php } elseif ( $form ) { ?>
6
+ <div class="frm_no_entries_header"><?php printf( esc_html__( 'No Entries for form: %s', 'formidable' ), esc_html( $form->name ) ); ?></div>
7
+ <p class="frm_no_entries_text"><?php printf( esc_html__( 'See the %1$sform documentation%2$s for instructions on publishing your form', 'formidable' ), '<a href="https://formidableforms.com/knowledgebase/publish-your-forms/" target="_blank">', '</a>' ); ?></p>
8
  <?php } else { ?>
9
  <div class="frm_no_entries_header"><?php esc_html_e( 'You have not created any forms yet.', 'formidable' ); ?></div>
10
+ <p class="frm_no_entries_text"><?php printf( esc_html__( 'To view entries, you must first %1$sbuild a form%2$s', 'formidable' ), '<a href="' . esc_url( admin_url( 'admin.php?page=formidable&frm_action=new' ) ) . '">', '</a>' ); ?></p>
11
  <?php } ?>
12
  </div>
classes/views/frm-entries/show.php CHANGED
@@ -49,7 +49,7 @@
49
  'embedded_field_id' => $embedded_field_id,
50
  );
51
  $display_value = FrmEntriesHelper::prepare_display_value( $entry, $field, $atts );
52
- echo $display_value;
53
 
54
  if ( is_email( $display_value ) && ! in_array( $display_value, $to_emails ) ) {
55
  $to_emails[] = $display_value;
49
  'embedded_field_id' => $embedded_field_id,
50
  );
51
  $display_value = FrmEntriesHelper::prepare_display_value( $entry, $field, $atts );
52
+ echo $display_value; // WPCS: XSS ok.
53
 
54
  if ( is_email( $display_value ) && ! in_array( $display_value, $to_emails ) ) {
55
  $to_emails[] = $display_value;
classes/views/frm-entries/sidebar-shared.php CHANGED
@@ -36,21 +36,21 @@
36
  <div class="misc-pub-section">
37
  <span class="dashicons dashicons-post-status wp-media-buttons-icon"></span>
38
  <?php esc_html_e( 'Entry Key', 'formidable' ) ?>:
39
- <b><?php echo sanitize_title( $entry->item_key ) ?></b>
40
  </div>
41
 
42
  <?php if ( FrmAppHelper::pro_is_installed() ) { ?>
43
  <?php if ( $entry->user_id ) { ?>
44
  <div class="misc-pub-section">
45
  <span class="dashicons dashicons-admin-users wp-media-buttons-icon"></span>
46
- <?php printf( __( 'Created by: %1$s', 'formidable' ), FrmFieldsHelper::get_user_display_name( $entry->user_id, 'display_name', array( 'link' => true ) ) ); ?>
47
  </div>
48
  <?php } ?>
49
 
50
  <?php if ( $entry->updated_by && $entry->updated_by != $entry->user_id ) { ?>
51
  <div class="misc-pub-section">
52
  <span class="dashicons dashicons-admin-users wp-media-buttons-icon"></span>
53
- <?php printf( esc_html__( 'Updated by: %1$s', 'formidable' ), FrmFieldsHelper::get_user_display_name( $entry->updated_by, 'display_name', array( 'link' => true ) ) ); ?>
54
  </div>
55
  <?php } ?>
56
  <?php } ?>
@@ -64,7 +64,7 @@
64
  <?php if ( ! empty( $entry->ip ) ) { ?>
65
  <div class="misc-pub-section">
66
  <?php esc_html_e( 'IP Address', 'formidable' ) ?>:
67
- <b><?php echo sanitize_text_field( $entry->ip ); ?></b>
68
  </div>
69
  <?php } ?>
70
 
@@ -89,7 +89,7 @@
89
  }
90
  ?>
91
  <div class="misc-pub-section">
92
- <b><?php echo sanitize_text_field( ucfirst( str_replace( '-', ' ', $k ) ) ); ?></b>:
93
  <?php echo wp_kses_post( implode( ', ', (array) $d ) ); ?>
94
  </div>
95
  <?php
36
  <div class="misc-pub-section">
37
  <span class="dashicons dashicons-post-status wp-media-buttons-icon"></span>
38
  <?php esc_html_e( 'Entry Key', 'formidable' ) ?>:
39
+ <b><?php echo esc_html( $entry->item_key ) ?></b>
40
  </div>
41
 
42
  <?php if ( FrmAppHelper::pro_is_installed() ) { ?>
43
  <?php if ( $entry->user_id ) { ?>
44
  <div class="misc-pub-section">
45
  <span class="dashicons dashicons-admin-users wp-media-buttons-icon"></span>
46
+ <?php printf( esc_html__( 'Created by: %1$s', 'formidable' ), esc_html( FrmFieldsHelper::get_user_display_name( $entry->user_id, 'display_name', array( 'link' => true ) ) ) ); ?>
47
  </div>
48
  <?php } ?>
49
 
50
  <?php if ( $entry->updated_by && $entry->updated_by != $entry->user_id ) { ?>
51
  <div class="misc-pub-section">
52
  <span class="dashicons dashicons-admin-users wp-media-buttons-icon"></span>
53
+ <?php printf( esc_html__( 'Updated by: %1$s', 'formidable' ), esc_html( FrmFieldsHelper::get_user_display_name( $entry->updated_by, 'display_name', array( 'link' => true ) ) ) ); ?>
54
  </div>
55
  <?php } ?>
56
  <?php } ?>
64
  <?php if ( ! empty( $entry->ip ) ) { ?>
65
  <div class="misc-pub-section">
66
  <?php esc_html_e( 'IP Address', 'formidable' ) ?>:
67
+ <b><?php echo esc_html( $entry->ip ); ?></b>
68
  </div>
69
  <?php } ?>
70
 
89
  }
90
  ?>
91
  <div class="misc-pub-section">
92
+ <b><?php echo esc_html( ucfirst( str_replace( '-', ' ', $k ) ) ); ?></b>:
93
  <?php echo wp_kses_post( implode( ', ', (array) $d ) ); ?>
94
  </div>
95
  <?php
classes/views/frm-fields/back-end/ajax-field-placeholder.php CHANGED
@@ -1,4 +1,4 @@
1
  <li id="frm_field_id_<?php echo esc_attr( $field_object->id ); ?>" class="<?php echo esc_attr( $li_classes ) ?> frm_field_loading" data-fid="<?php echo esc_attr( $field_object->id ) ?>" data-formid="<?php echo esc_attr( 'divider' == $field_object->type ? FrmField::get_option( $field_object, 'form_select' ) : $field_object->form_id ); ?>" data-ftype="<?php echo esc_attr( $display['type'] ) ?>">
2
  <span class="spinner frm_visible_spinner"></span>
3
- <span class="frm_hidden_fdata frm_hidden"><?php echo htmlspecialchars( json_encode( $field_object ) ) ?></span>
4
  </li>
1
  <li id="frm_field_id_<?php echo esc_attr( $field_object->id ); ?>" class="<?php echo esc_attr( $li_classes ) ?> frm_field_loading" data-fid="<?php echo esc_attr( $field_object->id ) ?>" data-formid="<?php echo esc_attr( 'divider' == $field_object->type ? FrmField::get_option( $field_object, 'form_select' ) : $field_object->form_id ); ?>" data-ftype="<?php echo esc_attr( $display['type'] ) ?>">
2
  <span class="spinner frm_visible_spinner"></span>
3
+ <span class="frm_hidden_fdata frm_hidden"><?php echo htmlspecialchars( json_encode( $field_object ) ); // WPCS: XSS ok. ?></span>
4
  </li>
classes/views/frm-fields/back-end/dropdown-field.php CHANGED
@@ -1,7 +1,7 @@
1
  <?php
2
 
3
  if ( isset( $field['post_field'] ) && 'post_category' === $field['post_field'] && FrmAppHelper::pro_is_installed() ) {
4
- echo FrmProPost::get_category_dropdown( $field, array(
5
  'name' => $field_name,
6
  'id' => 'placeholder_id',
7
  'location' => 'form_builder',
@@ -16,7 +16,7 @@ if ( isset( $field['post_field'] ) && 'post_category' === $field['post_field'] &
16
  $opt = FrmFieldsHelper::get_label_from_array( $opt, $opt_key, $field );
17
  $selected = ( $field['default_value'] === $field_val || FrmFieldsHelper::get_other_val( array( 'opt_key', 'field' ) ) ) ? ' selected="selected"' : '';
18
  ?>
19
- <option value="<?php echo esc_attr( $field_val ) ?>"<?php echo $selected ?>><?php echo esc_html( $opt ) ?> </option>
20
  <?php } ?>
21
  </select>
22
  <?php } ?>
1
  <?php
2
 
3
  if ( isset( $field['post_field'] ) && 'post_category' === $field['post_field'] && FrmAppHelper::pro_is_installed() ) {
4
+ echo FrmProPost::get_category_dropdown( $field, array( // WPCS: XSS ok.
5
  'name' => $field_name,
6
  'id' => 'placeholder_id',
7
  'location' => 'form_builder',
16
  $opt = FrmFieldsHelper::get_label_from_array( $opt, $opt_key, $field );
17
  $selected = ( $field['default_value'] === $field_val || FrmFieldsHelper::get_other_val( array( 'opt_key', 'field' ) ) ) ? ' selected="selected"' : '';
18
  ?>
19
+ <option value="<?php echo esc_attr( $field_val ) ?>"<?php echo $selected; // WPCS: XSS ok. ?>><?php echo esc_html( $opt ) ?> </option>
20
  <?php } ?>
21
  </select>
22
  <?php } ?>
classes/views/frm-fields/back-end/field-captcha.php CHANGED
@@ -2,7 +2,7 @@
2
  $frm_settings = FrmAppHelper::get_settings();
3
  if ( empty( $frm_settings->pubkey ) ) {
4
  ?>
5
- <div class="howto frm_no_captcha_text"><?php printf( __( 'Your captcha will not appear on your form until you %1$sset up%2$s the Site and Secret Keys', 'formidable' ), '<a href="?page=formidable-settings">', '</a>' ); ?></div>
6
  <?php } ?>
7
  <img src="<?php echo esc_url( FrmAppHelper::plugin_url() . '/images/recaptcha.png' ) ?>" class="recaptcha_placeholder" alt="reCaptcha"/>
8
  <input type="hidden" name="<?php echo esc_attr( $field_name ) ?>" value="1" />
2
  $frm_settings = FrmAppHelper::get_settings();
3
  if ( empty( $frm_settings->pubkey ) ) {
4
  ?>
5
+ <div class="howto frm_no_captcha_text"><?php printf( esc_html__( 'Your captcha will not appear on your form until you %1$sset up%2$s the Site and Secret Keys', 'formidable' ), '<a href="?page=formidable-settings">', '</a>' ); ?></div>
6
  <?php } ?>
7
  <img src="<?php echo esc_url( FrmAppHelper::plugin_url() . '/images/recaptcha.png' ) ?>" class="recaptcha_placeholder" alt="reCaptcha"/>
8
  <input type="hidden" name="<?php echo esc_attr( $field_name ) ?>" value="1" />