Ninja Forms – The Easy and Powerful Forms Builder

Version Description

(21 May 2020) =

Security:

Patched an HTML injection vulnerability in our deprecated 2.9x codebase reported responsibly by Dave Job.

Bugs:

Corrected an error in our required field validation that was allowing targeted spam through the submission process.

Release Info

Developer	krmoorhouse
Plugin	Ninja Forms – The Easy and Powerful Forms Builder
Version	3.4.24.3
Comparing to
See all releases

Code changes from version 3.4.24.2 to 3.4.24.3

Files changed (6) hide show

deprecated/includes/display/processing/class-ninja-forms-processing.php +5 -1
deprecated/ninja-forms.php +1 -1
includes/Abstracts/Field.php +6 -2
includes/MergeTags/Fields.php +10 -6
ninja-forms.php +2 -2
readme.txt +17 -3

deprecated/includes/display/processing/class-ninja-forms-processing.php CHANGED Viewed

	@@ -145,7 +145,8 @@ class Ninja_Forms_Processing {
145	}
146
147	$val = nf_wp_kses_post_deep( $val );
148	-

149	$this->data['fields'][$field_id] = $val;
150	$field_row = ninja_forms_get_field_by_id( $field_id );
151	$field_row['data']['field_class'] = 'ninja-forms-field';
	@@ -174,9 +175,11 @@ class Ninja_Forms_Processing {
174	if(!is_array($val)){
175	$value = stripslashes($val);
176	$value = nf_wp_kses_post_deep( $value );

177	//$value = htmlspecialchars($value);
178	}else{
179	$value = nf_wp_kses_post_deep( $val );

180	}
181	$this->data['form'][$key] = $value;
182	}
	@@ -203,6 +206,7 @@ class Ninja_Forms_Processing {
203
204	$val = ninja_forms_stripslashes_deep( $val );
205	$val = nf_wp_kses_post_deep( $val );

206
207	$this->data['fields'][$field_id] = $val;
208	if ( isset ( $cache['field_settings'][$field_id] ) ) {


145	}
146
147	$val = nf_wp_kses_post_deep( $val );
148	+ $val = ninja_forms_htmlspecialchars_deep( $val );
149	+
150	$this->data['fields'][$field_id] = $val;
151	$field_row = ninja_forms_get_field_by_id( $field_id );
152	$field_row['data']['field_class'] = 'ninja-forms-field';

175	if(!is_array($val)){
176	$value = stripslashes($val);
177	$value = nf_wp_kses_post_deep( $value );
178	+ $value = ninja_forms_htmlspecialchars_deep( $value );
179	//$value = htmlspecialchars($value);
180	}else{
181	$value = nf_wp_kses_post_deep( $val );
182	+ $value = ninja_forms_htmlspecialchars_deep( $val );
183	}
184	$this->data['form'][$key] = $value;
185	}

206
207	$val = ninja_forms_stripslashes_deep( $val );
208	$val = nf_wp_kses_post_deep( $val );
209	+ $val = ninja_forms_htmlspecialchars_deep( $val );
210
211	$this->data['fields'][$field_id] = $val;
212	if ( isset ( $cache['field_settings'][$field_id] ) ) {

deprecated/ninja-forms.php CHANGED Viewed

	@@ -265,7 +265,7 @@ class Ninja_Forms {
265
266	// Plugin version
267	if ( ! defined( 'NF_PLUGIN_VERSION' ) )
268	- define( 'NF_PLUGIN_VERSION', '3.4.24.2' );
269
270	// Plugin Folder Path
271	if ( ! defined( 'NF_PLUGIN_DIR' ) )


265
266	// Plugin version
267	if ( ! defined( 'NF_PLUGIN_VERSION' ) )
268	+ define( 'NF_PLUGIN_VERSION', '3.4.24.3' );
269
270	// Plugin Folder Path
271	if ( ! defined( 'NF_PLUGIN_DIR' ) )

includes/Abstracts/Field.php CHANGED Viewed

	@@ -146,8 +146,12 @@ abstract class NF_Abstracts_Field
146	$field[ 'value' ] = implode( '', $field[ 'value' ] );
147	}
148
149	- if( isset( $field['required'] ) && 1 == ~~$field['required'] && is_null~~( ~~trim(~~ $field['~~value~~'] ) ) ){
150	- $~~errors[]~~ = '~~Field~~ ~~is required.'~~;




151	}
152	return $errors;
153	}


146	$field[ 'value' ] = implode( '', $field[ 'value' ] );
147	}
148
149	+ if( isset( $field['required'] ) && 1 == intval( $field['required'] ) ) {
150	+ $val = trim( $field['value'] );
151	+ if( empty( $val ) && '0' !== $val ){
152	+ $errors['slug'] = 'required-error';
153	+ $errors['message'] = esc_html__('This field is required.', 'ninja-forms');
154	+ }
155	}
156	return $errors;
157	}

includes/MergeTags/Fields.php CHANGED Viewed

	@@ -193,7 +193,10 @@ final class NF_MergeTags_Fields extends NF_Abstracts_MergeTags
193
194	$value = apply_filters('ninja_forms_merge_tag_value_' . $field['type'], $field['value'], $field);
195
196	- $~~this->add(~~ ~~$callback,~~ ~~$field[~~'id'], ~~'{field:' . $field['id'] . '}', $value, false, ('html' !== $field['type']) );~~



197
198	if( isset( $field[ 'key' ] ) ) {
199	$field_key = $field[ 'key' ];
	@@ -201,17 +204,15 @@ final class NF_MergeTags_Fields extends NF_Abstracts_MergeTags
201
202	// Add Field Key Callback
203	$callback = 'field_' . $field_key;
204	- $this->add( $callback, $field_key, '{field:' . $field_key . '}', $value, $calc_value );
205
206	// Add Field by Key for All Fields
207	$this->merge_tags[ 'all_fields_by_key' ][ 'fields' ][ $field_key ] = $field;
208
209	// Add Field Calc Callabck
210	if( '' == $calc_value ) $calc_value = '0';
211	- //var_dump($calc_value);
212	- //echo('myspace');
213	$callback = 'field_' . $field_key . '_calc';
214	- $this->add( $callback, $field_key, '{field:' . $field_key . ':calc}', $calc_value, $calc_value );
215
216
217	/*
	@@ -286,6 +287,7 @@ final class NF_MergeTags_Fields extends NF_Abstracts_MergeTags
286	* @param $tag
287	* @param $value
288	* @param bool $calc_value

289	*/
290	public function add( $callback, $id, $tag, $value, $calc_value = false, $sanitize = true )
291	{
	@@ -308,7 +310,9 @@ final class NF_MergeTags_Fields extends NF_Abstracts_MergeTags
308
309	public function maybe_sanitize( $field )
310	{
311	- if ( '~~html~~' ~~!== $field['type'] && $this->use_safe ) {~~


312	$field['value'] = strip_tags($field['value']);
313	}
314	return $field;


193
194	$value = apply_filters('ninja_forms_merge_tag_value_' . $field['type'], $field['value'], $field);
195
196	+ $safe = apply_filters('ninja_forms_get_html_safe_fields',
197	+ array( 'html' ) );
198	+ $sanitize = (! in_array($field['type'], $safe));
199	+ $this->add( $callback, $field['id'], '{field:' . $field['id'] . '}', $value, false, $sanitize );
200
201	if( isset( $field[ 'key' ] ) ) {
202	$field_key = $field[ 'key' ];

204
205	// Add Field Key Callback
206	$callback = 'field_' . $field_key;
207	+ $this->add( $callback, $field_key, '{field:' . $field_key . '}', $value, $calc_value, $sanitize );
208
209	// Add Field by Key for All Fields
210	$this->merge_tags[ 'all_fields_by_key' ][ 'fields' ][ $field_key ] = $field;
211
212	// Add Field Calc Callabck
213	if( '' == $calc_value ) $calc_value = '0';


214	$callback = 'field_' . $field_key . '_calc';
215	+ $this->add( $callback, $field_key, '{field:' . $field_key . ':calc}', $calc_value, $calc_value, $sanitize );
216
217
218	/*

287	* @param $tag
288	* @param $value
289	* @param bool $calc_value
290	+ * @param bool $sanitize
291	*/
292	public function add( $callback, $id, $tag, $value, $calc_value = false, $sanitize = true )
293	{

310
311	public function maybe_sanitize( $field )
312	{
313	+ $safe = apply_filters( 'ninja_forms_get_html_safe_fields',
314	+ array( 'html' ) );
315	+ if ( ! in_array( $field['type'], $safe ) && $this->use_safe ) {
316	$field['value'] = strip_tags($field['value']);
317	}
318	return $field;

ninja-forms.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	Plugin Name: Ninja Forms
4	Plugin URI: http://ninjaforms.com/?utm_source=Ninja+Forms+Plugin&utm_medium=readme
5	Description: Ninja Forms is a webform builder with unparalleled ease of use and features.
6	- Version: 3.4.24.2
7	Author: Saturday Drive
8	Author URI: http://ninjaforms.com/?utm_source=Ninja+Forms+Plugin&utm_medium=Plugins+WP+Dashboard
9	Text Domain: ninja-forms
	@@ -59,7 +59,7 @@ if( get_option( 'ninja_forms_load_deprecated', FALSE ) && ! ( isset( $_POST[ 'nf
59	* @since 3.0
60	*/
61
62	- const VERSION = '3.4.24.2';
63
64	/**
65	* @since 3.4.0


3	Plugin Name: Ninja Forms
4	Plugin URI: http://ninjaforms.com/?utm_source=Ninja+Forms+Plugin&utm_medium=readme
5	Description: Ninja Forms is a webform builder with unparalleled ease of use and features.
6	+ Version: 3.4.24.3
7	Author: Saturday Drive
8	Author URI: http://ninjaforms.com/?utm_source=Ninja+Forms+Plugin&utm_medium=Plugins+WP+Dashboard
9	Text Domain: ninja-forms

59	* @since 3.0
60	*/
61
62	+ const VERSION = '3.4.24.3';
63
64	/**
65	* @since 3.4.0

readme.txt CHANGED Viewed

	@@ -3,7 +3,7 @@ Contributors: wpninjasllc, kstover, jameslaws, kbjohnson90, klhall1987, krmoorho
3	Tags: forms, contact form, email form, form builder, custom form, pdf form, registration form, payment form, login form, contact me, signature form, upload form, file upload form, conditional form, feedback form, appointment form, quote form, survey form, contact button, signup form, form plugin, contact form plugin, subscription form, email subscription form, newsletter form, donation form, booking form, quote request form, multi page form, conditional logic form, subscription form, application form, employment verification form, star rating form, rating form, event form, mailchimp form, campaign monitor form, constant contact form, mailpoet form, aweber form, cleverreach form, emma form, convertkit form, active campaign form, salesforce form, zoho form, capsule form, insightly form, pipelinedeals form, onepagecrm form
4	Requires at least: 5.2
5	Tested up to: 5.4
6	- Stable tag: 3.4.24.2
7	License: GPLv2 or later
8
9	The 100% beginner friendly WordPress form builder. Drag & drop form fields to build beautiful, professional contact forms in minutes.
	@@ -303,14 +303,28 @@ This section describes how to install the plugin and get it working.
303
304	== Upgrade Notice ==
305
306	- = 3.4.24.2 (28 ~~April~~ 2020) =
307
308	Security:
309
310	- * ~~Fixed~~ ~~Cross-Site~~ ~~Request~~ ~~Forgery(CSRF)~~ to ~~stored~~ ~~Cross-Site~~ ~~Scripting(XSS)~~ [reported responsibly](https://ninjaforms.com/security) by ~~Ramuel~~ ~~Gall (Wordfence Threat Intelligence Team)~~.




311
312	== Changelog ==
313










314	= 3.4.24.2 (28 April 2020) =
315
316	Security:


3	Tags: forms, contact form, email form, form builder, custom form, pdf form, registration form, payment form, login form, contact me, signature form, upload form, file upload form, conditional form, feedback form, appointment form, quote form, survey form, contact button, signup form, form plugin, contact form plugin, subscription form, email subscription form, newsletter form, donation form, booking form, quote request form, multi page form, conditional logic form, subscription form, application form, employment verification form, star rating form, rating form, event form, mailchimp form, campaign monitor form, constant contact form, mailpoet form, aweber form, cleverreach form, emma form, convertkit form, active campaign form, salesforce form, zoho form, capsule form, insightly form, pipelinedeals form, onepagecrm form
4	Requires at least: 5.2
5	Tested up to: 5.4
6	+ Stable tag: 3.4.24.3
7	License: GPLv2 or later
8
9	The 100% beginner friendly WordPress form builder. Drag & drop form fields to build beautiful, professional contact forms in minutes.

303
304	== Upgrade Notice ==
305
306	+ = 3.4.24.3 (21 May 2020) =
307
308	Security:
309
310	+ * Patched an HTML injection vulnerability in our deprecated 2.9x codebase [reported responsibly](https://ninjaforms.com/security) by Dave Job.
311	+
312	+ Bugs:
313	+
314	+ * Corrected an error in our required field validation that was allowing targeted spam through the submission process.
315
316	== Changelog ==
317
318	+ = 3.4.24.3 (21 May 2020) =
319	+
320	+ Security:
321	+
322	+ * Patched an HTML injection vulnerability in our deprecated 2.9x codebase [reported responsibly](https://ninjaforms.com/security) by Dave Job.
323	+
324	+ Bugs:
325	+
326	+ * Corrected an error in our required field validation that was allowing targeted spam through the submission process.
327	+
328	= 3.4.24.2 (28 April 2020) =
329
330	Security:

Ninja Forms – The Easy and Powerful Forms Builder - Version 3.4.24.3

Version Description

Release Info

Code changes from version 3.4.24.2 to 3.4.24.3