Ninja Forms – The Easy and Powerful Forms Builder

Version Description

(28 August 2018) =

Security:

Patched an XSS vulnerability that allowed javascript injection into the form import function. Many thanks to Adam Roberts for practicing responsible disclosure.
Patched a CSV injection vulnerability that allowed user values to run some scripts when opening exported CSV files with Excel.

Bugs:

The selector in the add a form modal should now scroll properly instead of being cut off by the bottom of the browser when it contains a large number of forms.
Resolved an issue that sometimes caused the character limit option for paragraph fields to count words instead.

Developer	krmoorhouse
Plugin	Ninja Forms – The Easy and Powerful Forms Builder
Version	3.3.14.1
Comparing to
See all releases

Files changed (5) hide show

deprecated/ninja-forms.php CHANGED Viewed

includes/Fields/Textarea.php CHANGED Viewed

@@ -27,10 +27,28 @@ class NF_Fields_Textarea extends NF_Abstracts_Input
                     $this->_settings[ 'default' ][ 'type' ] = 'textarea';
                     $this->_settings[ 'placeholder' ][ 'type' ] = 'textarea';
+                }
                 public function admin_form_element( $id, $value )
+                {
                     return "<textarea class='widefat' name='fields[$id]'>$value</textarea>";
+                }
+            }


27
28	$this->_settings[ 'default' ][ 'type' ] = 'textarea';
29	$this->_settings[ 'placeholder' ][ 'type' ] = 'textarea';
30	+
31	+ add_filter( 'ninja_forms_subs_export_field_value_' . $this->_name, array( $this, 'filter_csv_value' ), 10, 2 );
32	}
33
34	public function admin_form_element( $id, $value )
35	{
36	return "<textarea class='widefat' name='fields[$id]'>$value</textarea>";
37	}
38	+
39	+ public function filter_csv_value( $field_value, $field ) {
40	+
41	+ /*
42	+ * sanitize this in case someone tries to inject data that runs in
43	+ * Excel and similar apps
44	+ * */
45	+ if( 0 < strlen($field_value ) ) {
46	+ $first_char = substr( $field_value, 0, 1 );
47	+ if( in_array( $first_char, array( '=', '@', '+', '-' ) ) ) {
48	+ return "'" . $field_value;
49	+ }
50	+ }
51	+
52	+ return $field_value;
53	+ }
54	}

includes/Fields/Textbox.php CHANGED Viewed

	@@ -42,8 +42,11 @@ class NF_Fields_Textbox extends NF_Abstracts_Input
42	* sanitize this in case someone tries to inject data that runs in
43	* Excel and similar apps
44	* */
45	- if( ~~strpos~~( $field_value, ~~'='~~ ) ~~=== 0~~ ) {
46	- ~~return~~ ~~"'"~~ . $field_value;



47	}
48
49	return $field_value;


42	* sanitize this in case someone tries to inject data that runs in
43	* Excel and similar apps
44	* */
45	+ if( 0 < strlen($field_value ) ) {
46	+ $first_char = substr( $field_value, 0, 1 );
47	+ if( in_array( $first_char, array( '=', '@', '+', '-' ) ) ) {
48	+ return "'" . $field_value;
49	+ }
50	}
51
52	return $field_value;

ninja-forms.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	Plugin Name: Ninja Forms
4	Plugin URI: http://ninjaforms.com/
5	Description: Ninja Forms is a webform builder with unparalleled ease of use and features.
6	- Version: 3.3.14
7	Author: The WP Ninjas
8	Author URI: http://ninjaforms.com
9	Text Domain: ninja-forms
	@@ -57,7 +57,7 @@ if( get_option( 'ninja_forms_load_deprecated', FALSE ) && ! ( isset( $_POST[ 'nf
57	/**
58	* @since 3.0
59	*/
60	- const VERSION = '3.3.14';
61
62	const WP_MIN_VERSION = '4.7';
63


3	Plugin Name: Ninja Forms
4	Plugin URI: http://ninjaforms.com/
5	Description: Ninja Forms is a webform builder with unparalleled ease of use and features.
6	+ Version: 3.3.14.1
7	Author: The WP Ninjas
8	Author URI: http://ninjaforms.com
9	Text Domain: ninja-forms

57	/**
58	* @since 3.0
59	*/
60	+ const VERSION = '3.3.14.1';
61
62	const WP_MIN_VERSION = '4.7';
63

readme.txt CHANGED Viewed

	@@ -3,7 +3,7 @@ Contributors: wpninjasllc, kstover, jameslaws, kbjohnson90, klhall1987, krmoorho
3	Tags: form, forms, contact form, custom form, form builder, form creator, form manager, form creation, contact forms, custom forms, forms builder, forms creator, forms manager, forms creation, form administration,
4	Requires at least: 4.7
5	Tested up to: 4.9
6	- Stable tag: 3.3.14
7	License: GPLv2 or later
8
9	Drag and drop fields in an intuitive UI to create contact forms, email subscription forms, order forms, payment forms, send emails and more!
	@@ -111,7 +111,7 @@ For help and video tutorials, please visit our website: [Ninja Forms Documentati
111
112	== Upgrade Notice ==
113
114	- = 3.3.14 (27 August 2018) =
115
116	Security:
117
	@@ -125,6 +125,12 @@ For help and video tutorials, please visit our website: [Ninja Forms Documentati
125
126	== Changelog ==
127






128	= 3.3.14 (27 August 2018) =
129
130	Security:


3	Tags: form, forms, contact form, custom form, form builder, form creator, form manager, form creation, contact forms, custom forms, forms builder, forms creator, forms manager, forms creation, form administration,
4	Requires at least: 4.7
5	Tested up to: 4.9
6	+ Stable tag: 3.3.14.1
7	License: GPLv2 or later
8
9	Drag and drop fields in an intuitive UI to create contact forms, email subscription forms, order forms, payment forms, send emails and more!

111
112	== Upgrade Notice ==
113
114	+ = 3.3.14.1 (28 August 2018) =
115
116	Security:
117

125
126	== Changelog ==
127
128	+ = 3.3.14.1 (28 August 2018) =
129	+
130	+ Security:
131	+
132	+ * Corrected patch for CSV injection vulnerability to include a previously overlooked input.
133	+
134	= 3.3.14 (27 August 2018) =
135
136	Security: