Version Description
(28 August 2018) =
Security:
- Patched an XSS vulnerability that allowed javascript injection into the form import function. Many thanks to Adam Roberts for practicing responsible disclosure.
- Patched a CSV injection vulnerability that allowed user values to run some scripts when opening exported CSV files with Excel.
Bugs:
- The selector in the add a form modal should now scroll properly instead of being cut off by the bottom of the browser when it contains a large number of forms.
- Resolved an issue that sometimes caused the character limit option for paragraph fields to count words instead.
=
Download this release
Release Info
Developer | krmoorhouse |
Plugin | Ninja Forms – The Easy and Powerful Forms Builder |
Version | 3.3.14.1 |
Comparing to | |
See all releases |
Code changes from version 3.3.14 to 3.3.14.1
- deprecated/ninja-forms.php +1 -1
- includes/Fields/Textarea.php +18 -0
- includes/Fields/Textbox.php +5 -2
- ninja-forms.php +2 -2
- readme.txt +8 -2
deprecated/ninja-forms.php
CHANGED
@@ -265,7 +265,7 @@ class Ninja_Forms {
|
|
265 |
|
266 |
// Plugin version
|
267 |
if ( ! defined( 'NF_PLUGIN_VERSION' ) )
|
268 |
-
define( 'NF_PLUGIN_VERSION', '3.3.14' );
|
269 |
|
270 |
// Plugin Folder Path
|
271 |
if ( ! defined( 'NF_PLUGIN_DIR' ) )
|
265 |
|
266 |
// Plugin version
|
267 |
if ( ! defined( 'NF_PLUGIN_VERSION' ) )
|
268 |
+
define( 'NF_PLUGIN_VERSION', '3.3.14.1' );
|
269 |
|
270 |
// Plugin Folder Path
|
271 |
if ( ! defined( 'NF_PLUGIN_DIR' ) )
|
includes/Fields/Textarea.php
CHANGED
@@ -27,10 +27,28 @@ class NF_Fields_Textarea extends NF_Abstracts_Input
|
|
27 |
|
28 |
$this->_settings[ 'default' ][ 'type' ] = 'textarea';
|
29 |
$this->_settings[ 'placeholder' ][ 'type' ] = 'textarea';
|
|
|
|
|
30 |
}
|
31 |
|
32 |
public function admin_form_element( $id, $value )
|
33 |
{
|
34 |
return "<textarea class='widefat' name='fields[$id]'>$value</textarea>";
|
35 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
36 |
}
|
27 |
|
28 |
$this->_settings[ 'default' ][ 'type' ] = 'textarea';
|
29 |
$this->_settings[ 'placeholder' ][ 'type' ] = 'textarea';
|
30 |
+
|
31 |
+
add_filter( 'ninja_forms_subs_export_field_value_' . $this->_name, array( $this, 'filter_csv_value' ), 10, 2 );
|
32 |
}
|
33 |
|
34 |
public function admin_form_element( $id, $value )
|
35 |
{
|
36 |
return "<textarea class='widefat' name='fields[$id]'>$value</textarea>";
|
37 |
}
|
38 |
+
|
39 |
+
public function filter_csv_value( $field_value, $field ) {
|
40 |
+
|
41 |
+
/*
|
42 |
+
* sanitize this in case someone tries to inject data that runs in
|
43 |
+
* Excel and similar apps
|
44 |
+
* */
|
45 |
+
if( 0 < strlen($field_value ) ) {
|
46 |
+
$first_char = substr( $field_value, 0, 1 );
|
47 |
+
if( in_array( $first_char, array( '=', '@', '+', '-' ) ) ) {
|
48 |
+
return "'" . $field_value;
|
49 |
+
}
|
50 |
+
}
|
51 |
+
|
52 |
+
return $field_value;
|
53 |
+
}
|
54 |
}
|
includes/Fields/Textbox.php
CHANGED
@@ -42,8 +42,11 @@ class NF_Fields_Textbox extends NF_Abstracts_Input
|
|
42 |
* sanitize this in case someone tries to inject data that runs in
|
43 |
* Excel and similar apps
|
44 |
* */
|
45 |
-
if(
|
46 |
-
|
|
|
|
|
|
|
47 |
}
|
48 |
|
49 |
return $field_value;
|
42 |
* sanitize this in case someone tries to inject data that runs in
|
43 |
* Excel and similar apps
|
44 |
* */
|
45 |
+
if( 0 < strlen($field_value ) ) {
|
46 |
+
$first_char = substr( $field_value, 0, 1 );
|
47 |
+
if( in_array( $first_char, array( '=', '@', '+', '-' ) ) ) {
|
48 |
+
return "'" . $field_value;
|
49 |
+
}
|
50 |
}
|
51 |
|
52 |
return $field_value;
|
ninja-forms.php
CHANGED
@@ -3,7 +3,7 @@
|
|
3 |
Plugin Name: Ninja Forms
|
4 |
Plugin URI: http://ninjaforms.com/
|
5 |
Description: Ninja Forms is a webform builder with unparalleled ease of use and features.
|
6 |
-
Version: 3.3.14
|
7 |
Author: The WP Ninjas
|
8 |
Author URI: http://ninjaforms.com
|
9 |
Text Domain: ninja-forms
|
@@ -57,7 +57,7 @@ if( get_option( 'ninja_forms_load_deprecated', FALSE ) && ! ( isset( $_POST[ 'nf
|
|
57 |
/**
|
58 |
* @since 3.0
|
59 |
*/
|
60 |
-
const VERSION = '3.3.14';
|
61 |
|
62 |
const WP_MIN_VERSION = '4.7';
|
63 |
|
3 |
Plugin Name: Ninja Forms
|
4 |
Plugin URI: http://ninjaforms.com/
|
5 |
Description: Ninja Forms is a webform builder with unparalleled ease of use and features.
|
6 |
+
Version: 3.3.14.1
|
7 |
Author: The WP Ninjas
|
8 |
Author URI: http://ninjaforms.com
|
9 |
Text Domain: ninja-forms
|
57 |
/**
|
58 |
* @since 3.0
|
59 |
*/
|
60 |
+
const VERSION = '3.3.14.1';
|
61 |
|
62 |
const WP_MIN_VERSION = '4.7';
|
63 |
|
readme.txt
CHANGED
@@ -3,7 +3,7 @@ Contributors: wpninjasllc, kstover, jameslaws, kbjohnson90, klhall1987, krmoorho
|
|
3 |
Tags: form, forms, contact form, custom form, form builder, form creator, form manager, form creation, contact forms, custom forms, forms builder, forms creator, forms manager, forms creation, form administration,
|
4 |
Requires at least: 4.7
|
5 |
Tested up to: 4.9
|
6 |
-
Stable tag: 3.3.14
|
7 |
License: GPLv2 or later
|
8 |
|
9 |
Drag and drop fields in an intuitive UI to create contact forms, email subscription forms, order forms, payment forms, send emails and more!
|
@@ -111,7 +111,7 @@ For help and video tutorials, please visit our website: [Ninja Forms Documentati
|
|
111 |
|
112 |
== Upgrade Notice ==
|
113 |
|
114 |
-
= 3.3.14 (
|
115 |
|
116 |
*Security:*
|
117 |
|
@@ -125,6 +125,12 @@ For help and video tutorials, please visit our website: [Ninja Forms Documentati
|
|
125 |
|
126 |
== Changelog ==
|
127 |
|
|
|
|
|
|
|
|
|
|
|
|
|
128 |
= 3.3.14 (27 August 2018) =
|
129 |
|
130 |
*Security:*
|
3 |
Tags: form, forms, contact form, custom form, form builder, form creator, form manager, form creation, contact forms, custom forms, forms builder, forms creator, forms manager, forms creation, form administration,
|
4 |
Requires at least: 4.7
|
5 |
Tested up to: 4.9
|
6 |
+
Stable tag: 3.3.14.1
|
7 |
License: GPLv2 or later
|
8 |
|
9 |
Drag and drop fields in an intuitive UI to create contact forms, email subscription forms, order forms, payment forms, send emails and more!
|
111 |
|
112 |
== Upgrade Notice ==
|
113 |
|
114 |
+
= 3.3.14.1 (28 August 2018) =
|
115 |
|
116 |
*Security:*
|
117 |
|
125 |
|
126 |
== Changelog ==
|
127 |
|
128 |
+
= 3.3.14.1 (28 August 2018) =
|
129 |
+
|
130 |
+
*Security:*
|
131 |
+
|
132 |
+
* Corrected patch for CSV injection vulnerability to include a previously overlooked input.
|
133 |
+
|
134 |
= 3.3.14 (27 August 2018) =
|
135 |
|
136 |
*Security:*
|