Toolset Types – Custom Post Types, Custom Fields and Taxonomies - Version 2.2.3

Version Description

  • Fixed several security issues.
Download this release

Release Info

Developer zaantar
Plugin Icon 128x128 Toolset Types – Custom Post Types, Custom Fields and Taxonomies
Version 2.2.3
Comparing to
See all releases

Code changes from version 2.2.2 to 2.2.3

Files changed (59) hide show
  1. application/controllers/admin_menu.php +1 -1
  2. application/controllers/ajax/handler/field_control_action.php +8 -5
  3. application/controllers/ajax/handler/settings_action.php +13 -7
  4. application/controllers/api/handler/import_from_zip_file.php +33 -11
  5. application/controllers/asset/help_tab_loader.php +1 -1
  6. application/controllers/page/dashboard.php +11 -1
  7. application/controllers/page/extension/edit_post_fields.php +3 -1
  8. application/controllers/page/extension/edit_post_type.php +4 -2
  9. application/controllers/page/hidden/helper.php +13 -10
  10. application/models/helper/condition.php +4 -2
  11. application/models/helper/placeholder.php +7 -4
  12. library/toolset/toolset-common/bootstrap.php +3 -2
  13. library/toolset/toolset-common/changelog.md +14 -0
  14. library/toolset/toolset-common/changelog.txt +14 -0
  15. library/toolset/toolset-common/classes/forms.php +1 -1
  16. library/toolset/toolset-common/deprecated.php +1 -1
  17. library/toolset/toolset-common/inc/toolset.css.component.class.php +3 -3
  18. library/toolset/toolset-common/inc/toolset.relevanssi.compatibility.class.php +1 -1
  19. library/toolset/toolset-common/lib/enlimbo.forms.class.php +1 -1
  20. library/toolset/toolset-common/loader.php +10 -9
  21. library/toolset/toolset-common/res/js/toolset-select2-compatibility.js +68 -42
  22. library/toolset/toolset-common/res/lib/select2/select2.js +3 -2
  23. library/toolset/toolset-common/toolset-common-loader.php +29 -10
  24. library/toolset/toolset-common/toolset-forms/bootstrap.php +15 -10
  25. library/toolset/toolset-common/toolset-forms/classes/class.date.scripts.php +1 -1
  26. library/toolset/toolset-common/toolset-forms/classes/class.eforms.php +1 -1
  27. library/toolset/toolset-common/toolset-forms/classes/class.recaptcha.php +1 -1
  28. library/toolset/toolset-common/toolset-forms/classes/submit.php +1 -1
  29. library/toolset/toolset-common/user-editors/editor/screen/beaver/backend.php +6 -6
  30. library/toolset/toolset-common/user-editors/medium/content-template.php +5 -5
  31. library/toolset/toolset-common/user-editors/medium/screen/content-template/backend.php +1 -1
  32. library/toolset/toolset-common/user-editors/medium/screen/content-template/frontend-editor.php +3 -3
  33. library/toolset/toolset-common/user-editors/resource/views/dialog/dialog.php +1 -1
  34. library/toolset/toolset-common/user-editors/resource/views/dialog/for-any-input.php +2 -2
  35. library/toolset/toolset-common/utility/help-videos/toolset-help-videos.php +1 -1
  36. library/toolset/types/admin.php +3 -3
  37. library/toolset/types/embedded/admin.php +1 -1
  38. library/toolset/types/embedded/classes/forms.php +1 -1
  39. library/toolset/types/embedded/classes/gui/term_field_editing.php +1 -1
  40. library/toolset/types/embedded/includes/ajax.php +3 -3
  41. library/toolset/types/embedded/includes/fields-post.php +1 -1
  42. library/toolset/types/embedded/includes/fields.php +1 -1
  43. library/toolset/types/embedded/includes/module-manager.php +1 -1
  44. library/toolset/types/embedded/includes/post-relationship.php +5 -5
  45. library/toolset/types/embedded/usermeta-init.php +2 -2
  46. library/toolset/types/help.php +1 -1
  47. library/toolset/types/includes/classes/class.types.admin.edit.fields.php +1 -1
  48. library/toolset/types/includes/classes/class.types.admin.edit.post.type.php +3 -2
  49. library/toolset/types/includes/classes/class.types.admin.page.php +8 -8
  50. library/toolset/types/includes/classes/class.types.admin.post.types.list.table.php +1 -1
  51. library/toolset/types/includes/classes/class.types.admin.usermeta.groups.list.table.php +1 -1
  52. library/toolset/types/includes/classes/class.types.admin.usermeta.table.php +2 -2
  53. library/toolset/types/includes/classes/class.wpcf.custom.fields.list.table.php +1 -1
  54. library/toolset/types/includes/classes/page/edit/termmeta_form.php +4 -4
  55. library/toolset/types/includes/classes/page/listing/table.php +1 -1
  56. library/toolset/types/includes/classes/page/listing/termmeta_table.php +2 -0
  57. library/toolset/types/wpcf.php +5 -5
  58. readme.txt +4 -1
  59. wpcf.php +2 -2
application/controllers/admin_menu.php CHANGED
@@ -64,7 +64,7 @@ final class Types_Admin_Menu {
64
  // Add legacy pages
65
  $pages = wpcf_admin_toolset_register_menu_pages( $pages );
66
 
67
- $page_name = wpcf_getget( 'page' );
68
  if( !empty( $page_name ) ) {
69
  $pages = $this->maybe_add_ondemand_submenu( $pages, $page_name );
70
  }
64
  // Add legacy pages
65
  $pages = wpcf_admin_toolset_register_menu_pages( $pages );
66
 
67
+ $page_name = sanitize_text_field( wpcf_getget( 'page' ) );
68
  if( !empty( $page_name ) ) {
69
  $pages = $this->maybe_add_ondemand_submenu( $pages, $page_name );
70
  }
application/controllers/ajax/handler/field_control_action.php CHANGED
@@ -22,8 +22,8 @@ final class Types_Ajax_Handler_Field_Control_Action extends Types_Ajax_Handler_A
22
  $am->ajax_begin( array( 'nonce' => $am->get_action_js_name( Types_Ajax::CALLBACK_FIELD_CONTROL_ACTION ) ) );
23
 
24
  // Read and validate input
25
- $field_action = wpcf_getpost( 'field_action' );
26
- $fields = wpcf_getpost( 'fields' );
27
 
28
  $current_domain = wpcf_getpost( 'domain', null, Types_Field_Utils::get_domains() );
29
  if( null == $current_domain ) {
@@ -34,6 +34,7 @@ final class Types_Ajax_Handler_Field_Control_Action extends Types_Ajax_Handler_A
34
  $am->ajax_finish( array( 'message' => __( 'No fields have been selected.', 'wpcf' ) ), false );
35
  }
36
 
 
37
  $action_specific_data = wpcf_getpost( 'action_specific', array() );
38
 
39
  // Process fields one by one
@@ -92,17 +93,19 @@ final class Types_Ajax_Handler_Field_Control_Action extends Types_Ajax_Handler_A
92
  */
93
  private function single_field_control_action( $action_name, $field, $domain, $action_specific_data ) {
94
 
95
- $field_slug = wpcf_getarr( $field, 'slug' );
96
 
97
  switch ( $action_name ) {
98
 
99
  case 'manage_with_types':
100
- return $this->start_managing_field( wpcf_getarr( $field, 'metaKey' ), $domain );
101
 
102
  case 'stop_managing_with_types':
103
  return $this->stop_managing_field( $field_slug, $domain );
104
 
105
  case 'change_group_assignment':
 
 
106
  return $this->change_assignment_to_groups( $field_slug, $domain, $action_specific_data );
107
 
108
  case 'delete_field':
@@ -284,7 +287,7 @@ final class Types_Ajax_Handler_Field_Control_Action extends Types_Ajax_Handler_A
284
  return new WP_Error( 42, sprintf( __( 'Field "%s" will not be converted because it is not managed by Types.', 'wpcf' ), sanitize_text_field( $field_slug ) ) );
285
  }
286
 
287
- $type_slug = wpcf_getarr( $arguments, 'field_type' );
288
  $target_type = Types_Field_Type_Definition_Factory::get_instance()->load_field_type_definition( $type_slug );
289
  if( null == $target_type ) {
290
  return new WP_Error( 42, sprintf( __( 'Unknown field type "%s".', 'wpcf' ), $type_slug ) );
22
  $am->ajax_begin( array( 'nonce' => $am->get_action_js_name( Types_Ajax::CALLBACK_FIELD_CONTROL_ACTION ) ) );
23
 
24
  // Read and validate input
25
+ $field_action = sanitize_text_field( wpcf_getpost( 'field_action' ) );
26
+ $fields = wpcf_getpost( 'fields' ); // array of values, will be sanitized when processed
27
 
28
  $current_domain = wpcf_getpost( 'domain', null, Types_Field_Utils::get_domains() );
29
  if( null == $current_domain ) {
34
  $am->ajax_finish( array( 'message' => __( 'No fields have been selected.', 'wpcf' ) ), false );
35
  }
36
 
37
+ // will be sanitized when/if used by the action-specific method
38
  $action_specific_data = wpcf_getpost( 'action_specific', array() );
39
 
40
  // Process fields one by one
93
  */
94
  private function single_field_control_action( $action_name, $field, $domain, $action_specific_data ) {
95
 
96
+ $field_slug = sanitize_text_field( wpcf_getarr( $field, 'slug' ) );
97
 
98
  switch ( $action_name ) {
99
 
100
  case 'manage_with_types':
101
+ return $this->start_managing_field( sanitize_text_field( wpcf_getarr( $field, 'metaKey' ) ), $domain );
102
 
103
  case 'stop_managing_with_types':
104
  return $this->stop_managing_field( $field_slug, $domain );
105
 
106
  case 'change_group_assignment':
107
+ // $action_specific_data is a list of group slugs, will be sanitized by
108
+ // trying to load a group model
109
  return $this->change_assignment_to_groups( $field_slug, $domain, $action_specific_data );
110
 
111
  case 'delete_field':
287
  return new WP_Error( 42, sprintf( __( 'Field "%s" will not be converted because it is not managed by Types.', 'wpcf' ), sanitize_text_field( $field_slug ) ) );
288
  }
289
 
290
+ $type_slug = sanitize_text_field( wpcf_getarr( $arguments, 'field_type' ) );
291
  $target_type = Types_Field_Type_Definition_Factory::get_instance()->load_field_type_definition( $type_slug );
292
  if( null == $target_type ) {
293
  return new WP_Error( 42, sprintf( __( 'Unknown field type "%s".', 'wpcf' ), $type_slug ) );
application/controllers/ajax/handler/settings_action.php CHANGED
@@ -20,12 +20,18 @@ final class Types_Ajax_Handler_Settings_Action extends Types_Ajax_Handler_Abstra
20
 
21
  $am->ajax_begin( array( 'nonce' => $am->get_action_js_name( Types_Ajax::CALLBACK_SETTINGS_ACTION ) ) );
22
 
23
- $setting = wpcf_getpost( 'setting' );
24
- $value = wpcf_getpost( 'setting_value' );
25
 
26
- if( !is_array( $value ) ) {
27
- parse_str( $value, $value );
28
- $value = array_pop( $value );
 
 
 
 
 
 
29
  }
30
 
31
  // use toolset settings if available
@@ -34,12 +40,12 @@ final class Types_Ajax_Handler_Settings_Action extends Types_Ajax_Handler_Abstra
34
  $toolset_settings = Toolset_Settings::get_instance();
35
 
36
  if( method_exists( $toolset_settings, 'save' ) ) {
37
- $toolset_settings[$setting] = $value;
38
  $toolset_settings->save();
39
  $am->ajax_finish( 'success', true );
40
  }
41
  } else {
42
- update_option( $setting, $value );
43
  $am->ajax_finish( 'success', true );
44
  }
45
 
20
 
21
  $am->ajax_begin( array( 'nonce' => $am->get_action_js_name( Types_Ajax::CALLBACK_SETTINGS_ACTION ) ) );
22
 
23
+ $setting = sanitize_text_field( wpcf_getpost( 'setting' ) );
24
+ $setting_value = wpcf_getpost( 'setting_value' );
25
 
26
+ if( !is_array( $setting_value ) ) {
27
+ parse_str( $setting_value, $setting_value );
28
+ $setting_value = array_pop( $setting_value );
29
+ }
30
+
31
+ $sanitized_value = array();
32
+ foreach( $setting_value as $key => $value ) {
33
+ $sanitized_key = sanitize_title( $key );
34
+ $sanitized_value[ $sanitized_key ] = sanitize_text_field( $value );
35
  }
36
 
37
  // use toolset settings if available
40
  $toolset_settings = Toolset_Settings::get_instance();
41
 
42
  if( method_exists( $toolset_settings, 'save' ) ) {
43
+ $toolset_settings[ $setting ] = $sanitized_value;
44
  $toolset_settings->save();
45
  $am->ajax_finish( 'success', true );
46
  }
47
  } else {
48
+ update_option( $setting, $sanitized_value );
49
  $am->ajax_finish( 'success', true );
50
  }
51
 
application/controllers/api/handler/import_from_zip_file.php CHANGED
@@ -50,17 +50,39 @@ class Types_Api_Handler_Import_From_Zip_File implements Types_Api_Handler_Interf
50
 
51
  add_filter('wpcf_admin_message_store', '__return_false');
52
 
53
- $_POST['overwrite-settings'] = isset( $import_args['overwrite-settings'] ) ? $import_args['overwrite-settings'] : false;
54
- $_POST['overwrite-groups'] = isset( $import_args['overwrite-groups'] ) ? $import_args['overwrite-groups'] : 1;
55
- $_POST['overwrite-fields'] = isset( $import_args['overwrite-fields'] ) ? $import_args['overwrite-fields'] : 1;
56
- $_POST['overwrite-types'] = isset( $import_args['overwrite-types'] ) ? $import_args['overwrite-types'] : 1;
57
- $_POST['overwrite-tax'] = isset( $import_args['overwrite-tax'] ) ? $import_args['overwrite-tax'] : 1;
58
- $_POST['post_relationship'] = isset( $import_args['post_relationship'] ) ? $import_args['post_relationship'] : false;
59
- $_POST['delete-groups'] = isset( $import_args['delete-groups'] ) ? $import_args['delete-groups'] : false;
60
- $_POST['delete-fields'] = isset( $import_args['delete-fields'] ) ? $import_args['delete-fields'] : false;
61
- $_POST['delete-types'] = isset( $import_args['delete-types'] ) ? $import_args['delete-types'] : false;
62
- $_POST['delete-tax'] = isset( $import_args['delete-tax'] ) ? $import_args['delete-tax'] : false;
63
- /**
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
64
  * This can be emtpy string '' or 'wpvdemo', but this second option has a serious bug with xml parsing/looping
65
  */
66
  $context = isset( $import_args['context'] ) ? $import_args['context'] : '';
50
 
51
  add_filter('wpcf_admin_message_store', '__return_false');
52
 
53
+ $_POST['overwrite-settings'] = isset( $import_args['overwrite-settings'] ) ? (bool) $import_args['overwrite-settings'] : false;
54
+
55
+ $_POST['overwrite-groups'] = (
56
+ isset( $import_args['overwrite-groups'] ) && 1 == $import_args['overwrite-groups']
57
+ ? 1
58
+ : 0
59
+ );
60
+
61
+ $_POST['overwrite-fields'] = (
62
+ isset( $import_args['overwrite-fields'] ) && 1 == $import_args['overwrite-fields']
63
+ ? 1
64
+ : 0
65
+ );
66
+
67
+ $_POST['overwrite-types'] = (
68
+ isset( $import_args['overwrite-types'] ) && 1 == $import_args['overwrite-types']
69
+ ? 1
70
+ : 0
71
+ );
72
+
73
+ $_POST['overwrite-tax'] = (
74
+ isset( $import_args['overwrite-tax'] ) && 1 == $import_args['overwrite-tax']
75
+ ? 1
76
+ : 0
77
+ );
78
+
79
+ $_POST['post_relationship'] = isset( $import_args['post_relationship'] ) ? (bool) $import_args['post_relationship'] : false;
80
+ $_POST['delete-groups'] = isset( $import_args['delete-groups'] ) ? (bool) $import_args['delete-groups'] : false;
81
+ $_POST['delete-fields'] = isset( $import_args['delete-fields'] ) ? (bool) $import_args['delete-fields'] : false;
82
+ $_POST['delete-types'] = isset( $import_args['delete-types'] ) ? (bool) $import_args['delete-types'] : false;
83
+ $_POST['delete-tax'] = isset( $import_args['delete-tax'] ) ? (bool) $import_args['delete-tax'] : false;
84
+
85
+ /**
86
  * This can be emtpy string '' or 'wpvdemo', but this second option has a serious bug with xml parsing/looping
87
  */
88
  $context = isset( $import_args['context'] ) ? $import_args['context'] : '';
application/controllers/asset/help_tab_loader.php CHANGED
@@ -41,7 +41,7 @@ final class Types_Asset_Help_Tab_Loader {
41
  return;
42
  }
43
 
44
- $current_page = wpcf_getget( 'page', null );
45
  if ( null == $current_page ) {
46
  return;
47
  }
41
  return;
42
  }
43
 
44
+ $current_page = sanitize_text_field( wpcf_getget( 'page', null ) );
45
  if ( null == $current_page ) {
46
  return;
47
  }
application/controllers/page/dashboard.php CHANGED
@@ -420,7 +420,17 @@ final class Types_Page_Dashboard extends Types_Page_Abstract {
420
 
421
  public function screen_settings_save($status, $option, $value) {
422
  if ( 'toolset_dashboard_screen_post_types' == $option ) {
423
- $value = $_POST['toolset_dashboard_screen_post_types'];
 
 
 
 
 
 
 
 
 
 
424
  }
425
  return $value;
426
  }
420
 
421
  public function screen_settings_save($status, $option, $value) {
422
  if ( 'toolset_dashboard_screen_post_types' == $option ) {
423
+ if ( is_array( $_POST['toolset_dashboard_screen_post_types'] ) ) {
424
+ $toolset_dashboard_screen_post_types = array();
425
+ foreach( $_POST['toolset_dashboard_screen_post_types'] as $tdspt_key => $tdspt_value ) {
426
+ $tdspt_key = sanitize_text_field( $tdspt_key );
427
+ $tdspt_value = sanitize_text_field( $tdspt_value );
428
+ $toolset_dashboard_screen_post_types[ $tdspt_key ] = $tdspt_value;
429
+ }
430
+ } else {
431
+ $toolset_dashboard_screen_post_types = sanitize_text_field( $_POST['toolset_dashboard_screen_post_types'] );
432
+ }
433
+ $value = $toolset_dashboard_screen_post_types;
434
  }
435
  return $value;
436
  }
application/controllers/page/extension/edit_post_fields.php CHANGED
@@ -19,8 +19,10 @@ final class Types_Page_Extension_Edit_Post_Fields {
19
  private function __construct() {
20
  if( ! isset( $_GET['group_id'] ) )
21
  return;
 
 
22
 
23
- $post_types = get_post_meta( $_GET['group_id'], '_wp_types_group_post_types', 'string' );
24
  $post_types = explode( ',', $post_types );
25
  $post_types = array_values( array_filter( $post_types ) );
26
 
19
  private function __construct() {
20
  if( ! isset( $_GET['group_id'] ) )
21
  return;
22
+
23
+ $group_id = (int) $_GET['group_id'];
24
 
25
+ $post_types = get_post_meta( $group_id, '_wp_types_group_post_types', 'string' );
26
  $post_types = explode( ',', $post_types );
27
  $post_types = array_values( array_filter( $post_types ) );
28
 
application/controllers/page/extension/edit_post_type.php CHANGED
@@ -19,9 +19,11 @@ final class Types_Page_Extension_Edit_Post_Type {
19
  private function __construct() {
20
  if( ! isset( $_GET['wpcf-post-type'] ) )
21
  return;
 
 
22
 
23
- Types_Helper_Placeholder::set_post_type( $_GET['wpcf-post-type'] );
24
- Types_Helper_Condition::set_post_type( $_GET['wpcf-post-type'] );
25
 
26
  $this->prepare();
27
  }
19
  private function __construct() {
20
  if( ! isset( $_GET['wpcf-post-type'] ) )
21
  return;
22
+
23
+ $wpcf_post_type = sanitize_text_field( $_GET['wpcf-post-type'] );
24
 
25
+ Types_Helper_Placeholder::set_post_type( $wpcf_post_type );
26
+ Types_Helper_Condition::set_post_type( $wpcf_post_type );
27
 
28
  $this->prepare();
29
  }
application/controllers/page/hidden/helper.php CHANGED
@@ -54,25 +54,28 @@ class Types_Page_Hidden_Helper extends Types_Page_Abstract {
54
  $this->redirect_url = false;
55
 
56
  if( isset( $_GET['action'] ) && isset( $_GET['type'] ) ) {
 
 
 
57
 
58
- switch( $_GET['action'] ) {
59
  case 'new-form':
60
- $this->redirect_url = $this->new_form_action( $_GET['type'] );
61
  break;
62
  case 'new-view':
63
- $this->redirect_url = $this->new_view_action( $_GET['type'] );
64
  break;
65
  case 'new-layout-template':
66
- $this->redirect_url = $this->new_layout_template_action( $_GET['type'] );
67
  break;
68
  case 'new-content-template':
69
- $this->redirect_url = $this->new_content_template_action( $_GET['type'] );
70
  break;
71
  case 'new-wordpress-archive':
72
- $this->redirect_url = $this->new_wordpress_archive_action( $_GET['type'] );
73
  break;
74
  case 'new-post-field-group':
75
- $this->redirect_url = $this->new_post_field_group_action( $_GET['type'] );
76
  break;
77
  }
78
 
@@ -146,7 +149,7 @@ class Types_Page_Hidden_Helper extends Types_Page_Abstract {
146
  $new_post_field_group->assign_post_type( $type );
147
 
148
  $url = isset( $_GET['ref'] )
149
- ? 'admin.php?page=wpcf-edit&group_id='.$new_post_field_group->get_id().'&ref='.$_GET['ref']
150
  : 'admin.php?page=wpcf-edit&group_id='.$new_post_field_group->get_id();
151
 
152
  return admin_url( $url );
@@ -155,11 +158,11 @@ class Types_Page_Hidden_Helper extends Types_Page_Abstract {
155
  private function add_params_to_url( $url ) {
156
  // forward parameter toolset_help_video
157
  if( isset( $_GET['toolset_help_video'] ) )
158
- $url = add_query_arg( 'toolset_help_video', $_GET['toolset_help_video'], $url );
159
 
160
  // forward parameter ref
161
  if( isset( $_GET['ref'] ) )
162
- $url = add_query_arg( 'ref', $_GET['ref'], $url );
163
 
164
  return $url;
165
  }
54
  $this->redirect_url = false;
55
 
56
  if( isset( $_GET['action'] ) && isset( $_GET['type'] ) ) {
57
+
58
+ $action = sanitize_text_field( $_GET['action'] );
59
+ $type = sanitize_text_field( $_GET['type'] );
60
 
61
+ switch( $action ) {
62
  case 'new-form':
63
+ $this->redirect_url = $this->new_form_action( $type );
64
  break;
65
  case 'new-view':
66
+ $this->redirect_url = $this->new_view_action( $type );
67
  break;
68
  case 'new-layout-template':
69
+ $this->redirect_url = $this->new_layout_template_action( $type );
70
  break;
71
  case 'new-content-template':
72
+ $this->redirect_url = $this->new_content_template_action( $type );
73
  break;
74
  case 'new-wordpress-archive':
75
+ $this->redirect_url = $this->new_wordpress_archive_action( $type );
76
  break;
77
  case 'new-post-field-group':
78
+ $this->redirect_url = $this->new_post_field_group_action( $type );
79
  break;
80
  }
81
 
149
  $new_post_field_group->assign_post_type( $type );
150
 
151
  $url = isset( $_GET['ref'] )
152
+ ? 'admin.php?page=wpcf-edit&group_id='.$new_post_field_group->get_id().'&ref='.sanitize_text_field( $_GET['ref'] )
153
  : 'admin.php?page=wpcf-edit&group_id='.$new_post_field_group->get_id();
154
 
155
  return admin_url( $url );
158
  private function add_params_to_url( $url ) {
159
  // forward parameter toolset_help_video
160
  if( isset( $_GET['toolset_help_video'] ) )
161
+ $url = add_query_arg( 'toolset_help_video', sanitize_text_field( $_GET['toolset_help_video'] ), $url );
162
 
163
  // forward parameter ref
164
  if( isset( $_GET['ref'] ) )
165
+ $url = add_query_arg( 'ref', sanitize_text_field( $_GET['ref'] ), $url );
166
 
167
  return $url;
168
  }
application/models/helper/condition.php CHANGED
@@ -15,8 +15,10 @@ abstract class Types_Helper_Condition {
15
 
16
  protected static function get_type_name() {
17
  // per post
18
- if( isset( $_GET['post'] ) )
19
- return get_post_type( $_GET['post'] );
 
 
20
 
21
  return self::$post_type->name;
22
  }
15
 
16
  protected static function get_type_name() {
17
  // per post
18
+ if( isset( $_GET['post'] ) ) {
19
+ $get_type_name_id = (int) $_GET['post'];
20
+ return get_post_type( $get_type_name_id );
21
+ }
22
 
23
  return self::$post_type->name;
24
  }
application/models/helper/placeholder.php CHANGED
@@ -159,12 +159,15 @@ class Types_Helper_Placeholder {
159
  return $permalink;
160
  }
161
 
162
- if( isset( $_GET['post'] ) && $id != $_GET['post'] )
163
- return self::get_permalink( $_GET['post'] );
 
 
164
 
165
  // cpt edit page
166
  if( isset( $_GET['wpcf-post-type'] ) && $id == 0 ) {
167
- $query = new WP_Query( 'post_type=' . $_GET['wpcf-post-type'] . '&posts_per_page=1' );
 
168
  if( $query->have_posts() )
169
  return self::get_permalink( $query->posts[0]->ID );
170
  }
@@ -181,7 +184,7 @@ class Types_Helper_Placeholder {
181
 
182
  public static function get_archive_permalink() {
183
  if( array_key_exists( 'wpcf-post-type', $_GET ) ) {
184
- $post_type = $_GET['wpcf-post-type'];
185
  } else {
186
  if( ! is_object( self::$post_type ) )
187
  self::set_post_type();
159
  return $permalink;
160
  }
161
 
162
+ if( isset( $_GET['post'] ) && $id != $_GET['post'] ) {
163
+ $get_permalink_id = (int) $_GET['post'];
164
+ return self::get_permalink( $get_permalink_id );
165
+ }
166
 
167
  // cpt edit page
168
  if( isset( $_GET['wpcf-post-type'] ) && $id == 0 ) {
169
+ $get_permalink_post_type = sanitize_text_field( $_GET['wpcf-post-type'] );
170
+ $query = new WP_Query( 'post_type=' . $get_permalink_post_type . '&posts_per_page=1' );
171
  if( $query->have_posts() )
172
  return self::get_permalink( $query->posts[0]->ID );
173
  }
184
 
185
  public static function get_archive_permalink() {
186
  if( array_key_exists( 'wpcf-post-type', $_GET ) ) {
187
+ $post_type = sanitize_text_field( $_GET['wpcf-post-type'] );
188
  } else {
189
  if( ! is_object( self::$post_type ) )
190
  self::set_post_type();
library/toolset/toolset-common/bootstrap.php CHANGED
@@ -19,9 +19,10 @@
19
  * TOOLSET_COMMON_PATH The path to the active Toolset Common directory
20
  * TOOLSET_COMMON_DIR The name of the directory of the active Toolset Common
21
  * TOOLSET_COMMON_URL The URL to the root of Toolset Common, to be used in backend - adjusted as per SSL settings
22
- * TOOLSET_COMMON_PROTOCOL The protocol of TOOLSET_COMMON_URL - http | https
23
  * TOOLSET_COMMON_FRONTEND_URL The URL to the root of Toolset Common, to be used in frontend - adjusted as per SSL settings
24
- * TOOLSET_COMMON_FRONTEND_PROTOCOL The protocol of TOOLSET_COMMON_FRONTEND_URL - http | https
 
 
25
  *
26
  * @todo create an admin page with Common info: path, bundled libraries versions, etc
27
  */
19
  * TOOLSET_COMMON_PATH The path to the active Toolset Common directory
20
  * TOOLSET_COMMON_DIR The name of the directory of the active Toolset Common
21
  * TOOLSET_COMMON_URL The URL to the root of Toolset Common, to be used in backend - adjusted as per SSL settings
 
22
  * TOOLSET_COMMON_FRONTEND_URL The URL to the root of Toolset Common, to be used in frontend - adjusted as per SSL settings
23
+ *
24
+ * TOOLSET_COMMON_PROTOCOL Deprecated - To be removed - The protocol of TOOLSET_COMMON_URL - http | https
25
+ * TOOLSET_COMMON_FRONTEND_PROTOCOL Deprecated - To be removed - The protocol of TOOLSET_COMMON_FRONTEND_URL - http | https
26
  *
27
  * @todo create an admin page with Common info: path, bundled libraries versions, etc
28
  */
library/toolset/toolset-common/changelog.md CHANGED
@@ -1,3 +1,17 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
  Common 2.2.2 (September 26, 2016)
2
  - Updated the bundled select2 script to version 4.0.3
3
  - Fixed a problem with some assets URLs lacking a backslash
1
+ Common 2.2.5 (November 5, 2016)
2
+ - Thorough check for security vulnerabilities.
3
+
4
+ Common 2.2.4 (November 2, 2016)
5
+ - Fixed a problem with some assets management by definind better rules on constant definitions.
6
+
7
+ -------------------------------------------------------------------------------------------------------------------
8
+
9
+ Common 2.2.3 (October 10, 2016)
10
+ - Fixed select2 edge cases when methods are called on non-select2 initialised element
11
+ - Refined special handling of old inputs by making sure target is only a select and not the hidden relative element
12
+
13
+ -------------------------------------------------------------------------------------------------------------------
14
+
15
  Common 2.2.2 (September 26, 2016)
16
  - Updated the bundled select2 script to version 4.0.3
17
  - Fixed a problem with some assets URLs lacking a backslash
library/toolset/toolset-common/changelog.txt CHANGED
@@ -1,3 +1,17 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
  Common 2.2.2 (September 26, 2016)
2
  - Updated the bundled select2 script to version 4.0.3
3
  - Fixed a problem with some assets URLs lacking a backslash
1
+ Common 2.2.5 (November 5, 2016)
2
+ - Thorough check for security vulnerabilities.
3
+
4
+ Common 2.2.4 (November 2, 2016)
5
+ - Fixed a problem with some assets management by definind better rules on constant definitions.
6
+
7
+ -------------------------------------------------------------------------------------------------------------------
8
+
9
+ Common 2.2.3 (October 10, 2016)
10
+ - Fixed select2 edge cases when methods are called on non-select2 initialised element
11
+ - Refined special handling of old inputs by making sure target is only a select and not the hidden relative element
12
+
13
+ -------------------------------------------------------------------------------------------------------------------
14
+
15
  Common 2.2.2 (September 26, 2016)
16
  - Updated the bundled select2 script to version 4.0.3
17
  - Fixed a problem with some assets URLs lacking a backslash
library/toolset/toolset-common/classes/forms.php CHANGED
@@ -931,7 +931,7 @@ if (!class_exists('Enlimbo_Forms_Wpcf')) {
931
  if ($element['#type'] == 'file') {
932
  return $_FILES[$name]['tmp_name'];
933
  }
934
- return isset($_REQUEST[$name]) ? $_REQUEST[$name] : in_array($element['#type'],
935
  array('textfield', 'textarea')) ? '' : 0;
936
  }
937
 
931
  if ($element['#type'] == 'file') {
932
  return $_FILES[$name]['tmp_name'];
933
  }
934
+ return isset($_REQUEST[$name]) ? sanitize_text_field( $_REQUEST[$name] ) : in_array($element['#type'],
935
  array('textfield', 'textarea')) ? '' : 0;
936
  }
937
 
library/toolset/toolset-common/deprecated.php CHANGED
@@ -50,7 +50,7 @@ if ( ! function_exists( 'wpv_dismiss_message_ajax' ) ) {
50
  && wp_verify_nonce( $_GET['_wpnonce'], 'dismiss_message' )
51
  ) {
52
  $dismissed_messages = get_option( 'wpv-dismissed-messages', array() );
53
- $dismissed_image_val = isset( $_GET['timestamp'] ) ? $_GET['timestamp'] : 1;
54
  $dismissed_messages[strval( $_GET['message_id'] )] = $dismissed_image_val;
55
  update_option( 'wpv-dismissed-messages', $dismissed_messages );
56
  }
50
  && wp_verify_nonce( $_GET['_wpnonce'], 'dismiss_message' )
51
  ) {
52
  $dismissed_messages = get_option( 'wpv-dismissed-messages', array() );
53
+ $dismissed_image_val = isset( $_GET['timestamp'] ) ? sanitize_text_field( $_GET['timestamp'] ) : 1;
54
  $dismissed_messages[strval( $_GET['message_id'] )] = $dismissed_image_val;
55
  update_option( 'wpv-dismissed-messages', $dismissed_messages );
56
  }
library/toolset/toolset-common/inc/toolset.css.component.class.php CHANGED
@@ -59,7 +59,7 @@ if ( ! class_exists( 'Toolset_CssComponent' ) ) {
59
  public function toolset_bs_update_option(){
60
  if($_POST['option'] && isset($_POST['option']) && $_POST['value'] && isset($_POST['value'])){
61
 
62
- $option_name = 'toolset_bs_component_'.$_POST['option'];
63
  $value = ($_POST['value'] === "true") ? "yes" : "no";
64
 
65
  update_option( $option_name, $value);
@@ -132,8 +132,8 @@ if ( ! class_exists( 'Toolset_CssComponent' ) ) {
132
  if(defined('LAYOUTS_PLUGIN_NAME')){
133
  $bootstrap_available = true;
134
  }
135
-
136
- $get_page = (isset($_GET['page']) && $_GET['page']) ? $_GET['page'] : null;
137
 
138
  if(!in_array($get_page, $this->allowed_pages()) || $bootstrap_available === false){
139
  return false;
59
  public function toolset_bs_update_option(){
60
  if($_POST['option'] && isset($_POST['option']) && $_POST['value'] && isset($_POST['value'])){
61
 
62
+ $option_name = 'toolset_bs_component_'.sanitize_text_field( $_POST['option'] );
63
  $value = ($_POST['value'] === "true") ? "yes" : "no";
64
 
65
  update_option( $option_name, $value);
132
  if(defined('LAYOUTS_PLUGIN_NAME')){
133
  $bootstrap_available = true;
134
  }
135
+
136
+ $get_page = (isset($_GET['page']) && $_GET['page']) ? sanitize_text_field( $_GET['page'] ) : null;
137
 
138
  if(!in_array($get_page, $this->allowed_pages()) || $bootstrap_available === false){
139
  return false;
library/toolset/toolset-common/inc/toolset.relevanssi.compatibility.class.php CHANGED
@@ -508,7 +508,7 @@ if ( ! class_exists( 'Toolset_Relevanssi_Compatibility' ) ) {
508
 
509
  $current_page = '';
510
  if ( isset( $_GET['page'] ) ) {
511
- $current_page = $_GET['page'];
512
  }
513
 
514
  if ( ! $current_page == 'wpcf-edit' ) {
508
 
509
  $current_page = '';
510
  if ( isset( $_GET['page'] ) ) {
511
+ $current_page = sanitize_text_field( $_GET['page'] );
512
  }
513
 
514
  if ( ! $current_page == 'wpcf-edit' ) {
library/toolset/toolset-common/lib/enlimbo.forms.class.php CHANGED
@@ -927,7 +927,7 @@ if ( ! class_exists('Toolset_Enlimbo_Forms' ) ) {
927
  if ($element['#type'] == 'file') {
928
  return $_FILES[$name]['tmp_name'];
929
  }
930
- return isset($_REQUEST[$name]) ? $_REQUEST[$name] : in_array($element['#type'],
931
  array('textfield', 'textarea')) ? '' : 0;
932
  }
933
 
927
  if ($element['#type'] == 'file') {
928
  return $_FILES[$name]['tmp_name'];
929
  }
930
+ return isset($_REQUEST[$name]) ? sanitize_text_field( $_REQUEST[$name] ) : in_array($element['#type'],
931
  array('textfield', 'textarea')) ? '' : 0;
932
  }
933
 
library/toolset/toolset-common/loader.php CHANGED
@@ -8,6 +8,8 @@
8
  * plugin loader and then call the toolset_common_initialize function.
9
  * The toolset_common_initialize should be passed the file path to the directory
10
  * where this file is located and also the url to this directory.
 
 
11
  *
12
  *
13
  *
@@ -18,17 +20,17 @@
18
  * The version number will then be used to work out which plugin has the latest
19
  * version of the code.
20
  *
21
- * The version number will have a format of XXYYYY
22
- * where XX is the future target Toolset Common version number, built upon the stable released one stated in changelog.txt plus 1
23
- * and YYYY is incremented by 1 on each change to the Toolset Common repo
24
- * so we allow up to 10000 changes per dev cycle.
25
  *
26
  */
27
  /**
28
  * Now that we have a unique version for all plugins
29
  * we define the version here
30
  */
31
- $toolset_common_version = 222001;
32
 
33
 
34
  // ----------------------------------------------------------------------//
@@ -74,10 +76,9 @@ if ( ! function_exists( 'toolset_common_initialize' ) ) {
74
  global $toolset_common_paths;
75
 
76
  $path = str_replace( '\\', '/', $path );
77
-
78
- if ( substr( $path, strlen( $path ) - 1 ) == '/' ) {
79
- $path = substr( $path, 0, strlen( $path ) - 1 );
80
- }
81
 
82
  // Save the url in the matching path
83
  foreach ( $toolset_common_paths as $key => $data ) {
8
  * plugin loader and then call the toolset_common_initialize function.
9
  * The toolset_common_initialize should be passed the file path to the directory
10
  * where this file is located and also the url to this directory.
11
+ * Note that both the path and URL will be normalized with untrailingslashit
12
+ * so they do not pack any trailing slash.
13
  *
14
  *
15
  *
20
  * The version number will then be used to work out which plugin has the latest
21
  * version of the code.
22
  *
23
+ * The version number will have a format of XXXYYY
24
+ * where XXX is the future target Toolset Common version number, built upon the stable released one stated in changelog.txt plus 1
25
+ * and YYY is incremented by 1 on each change to the Toolset Common repo
26
+ * so we allow up to 1000 changes per dev cycle.
27
  *
28
  */
29
  /**
30
  * Now that we have a unique version for all plugins
31
  * we define the version here
32
  */
33
+ $toolset_common_version = 225000;
34
 
35
 
36
  // ----------------------------------------------------------------------//
76
  global $toolset_common_paths;
77
 
78
  $path = str_replace( '\\', '/', $path );
79
+
80
+ $path = untrailingslashit( $path );
81
+ $url = untrailingslashit( $url );
 
82
 
83
  // Save the url in the matching path
84
  foreach ( $toolset_common_paths as $key => $data ) {
library/toolset/toolset-common/res/js/toolset-select2-compatibility.js CHANGED
@@ -11,7 +11,7 @@ ToolsetCommon.initSelect2Compatibility = function( $ ){
11
  jQuery.fn.toolset_select2_original = jQuery.fn.toolset_select2;
12
  //backwards compatible object
13
  jQuery.fn.toolset_select2 = function(options, param){
14
- if(typeof options == "string"){
15
  ToolsetCommon.toolset_select2ExecMethods(this, options, param)
16
  }else if (typeof options == "object"){
17
  if(jQuery(this)){
@@ -64,45 +64,61 @@ ToolsetCommon.toolset_select2ConvertInputToSelect = function(el, options){
64
  jQuery(hiddenInput).insertAfter("."+dynamicClass);
65
  }
66
  //initialize toolset_select2
67
- convertedEl = jQuery("."+dynamicClass).toolset_select2_original(options);
 
 
 
 
68
 
69
  //Add event listener on tags fields to update hidden inputs on change
70
  if(options && options.hasOwnProperty("tags")){
71
- jQuery(convertedEl).on("change", function(){
72
- var actualValue = jQuery(convertedEl).val();
73
-
74
  if(actualValue && actualValue.length > 0 && hiddenInput){
75
  jQuery("."+hiddenDynamicClass).attr("value", actualValue.join(","));
76
  }
77
  });
78
- jQuery("."+dynamicClass).trigger("change");
79
  }
80
  return convertedEl;
81
  }else{
82
- var dynamicClass = ToolsetCommon.addSelect2RandomClassName(el);
83
- return jQuery("."+dynamicClass).toolset_select2_original(options);
 
 
 
 
 
 
 
 
 
 
 
 
84
  }
85
  };
86
  /*
87
  * @description checks if input needs to be converted to a select element.
88
  */
89
  ToolsetCommon.toolset_select2ConversionRequired = function(el, options){
90
- if(options && options.hasOwnProperty("tags")){
91
- jQuery(el).prop("multiple", "multiple");
92
- options.multiple = true;
93
- if(options.tags instanceof Array && options.tags.length > 0){
94
- options.data = [];
95
- options.tags.forEach(function(item){
96
- options.data.push({
97
- id: item,
98
- text: item
 
 
99
  });
100
- });
101
- options.tags = true;
 
 
 
102
  }
103
- return true;
104
- }else{
105
- return (jQuery(el).prop("tagName") !== "SELECT");
106
  }
107
  };
108
 
@@ -113,27 +129,36 @@ ToolsetCommon.toolset_select2ConversionRequired = function(el, options){
113
  ToolsetCommon.toolset_select2ExecMethods = function(el, method, param){
114
  if(jQuery(el).data("toolset_select2")){
115
  var elm_id = jQuery(el).attr("id");
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
116
 
117
- switch(method){
118
- case "val":
119
- if(param !== undefined && param !== null){
120
- jQuery(el).val(param).trigger("change");
121
- }else{
122
- return jQuery(el).val();
123
- }
124
- break;
125
- case "enable":
126
- jQuery(el).prop("disabled", !param);
127
- break;
128
- case "data":
129
- jQuery(el).val(param.ID).trigger("change").trigger("toolset_select2:selecting");
130
- break;
131
- case "close":
132
- jQuery(el).toolset_select2_original("close");
133
- break;
134
- default:
135
- jQuery("#"+elm_id).toolset_select2_original(method, param);
136
- break;
137
  }
138
  }
139
  };
@@ -144,6 +169,7 @@ ToolsetCommon.toolset_select2ExecMethods = function(el, method, param){
144
  ToolsetCommon.addSelect2RandomClassName = function(el) {
145
  var className = ("toolset_select2_prefix_" + (Math.round(Math.random() * (100000 - 99) + 99)).toString());
146
  jQuery(el).addClass(className);
 
147
  return className;
148
  };
149
 
11
  jQuery.fn.toolset_select2_original = jQuery.fn.toolset_select2;
12
  //backwards compatible object
13
  jQuery.fn.toolset_select2 = function(options, param){
14
+ if( typeof options == "string" ){
15
  ToolsetCommon.toolset_select2ExecMethods(this, options, param)
16
  }else if (typeof options == "object"){
17
  if(jQuery(this)){
64
  jQuery(hiddenInput).insertAfter("."+dynamicClass);
65
  }
66
  //initialize toolset_select2
67
+ try{
68
+ convertedEl = jQuery("."+dynamicClass).toolset_select2_original(options);
69
+ }catch(err){
70
+ console.log(err.message);
71
+ }
72
 
73
  //Add event listener on tags fields to update hidden inputs on change
74
  if(options && options.hasOwnProperty("tags")){
75
+ jQuery("."+dynamicClass).on("change", function(event){
76
+ var actualValue = jQuery(event.target).val();
 
77
  if(actualValue && actualValue.length > 0 && hiddenInput){
78
  jQuery("."+hiddenDynamicClass).attr("value", actualValue.join(","));
79
  }
80
  });
 
81
  }
82
  return convertedEl;
83
  }else{
84
+ if(!jQuery(el).data("toolset_select2")){
85
+ var dynamicClass = ToolsetCommon.addSelect2RandomClassName(el);
86
+ var convertedEl = null;
87
+
88
+ try{
89
+ convertedEl = jQuery("."+dynamicClass).toolset_select2_original(options);
90
+ }catch(err){
91
+ console.log(err.message);
92
+ }
93
+
94
+ return convertedEl;
95
+ }else{
96
+ return el;
97
+ }
98
  }
99
  };
100
  /*
101
  * @description checks if input needs to be converted to a select element.
102
  */
103
  ToolsetCommon.toolset_select2ConversionRequired = function(el, options){
104
+ if(!jQuery(el).hasClass("toolset_select2_converted")){
105
+ if(options && options.hasOwnProperty("tags")){
106
+ jQuery(el).prop("multiple", "multiple");
107
+ options.multiple = true;
108
+ if(options.tags instanceof Array && options.tags.length > 0){
109
+ options.data = [];
110
+ options.tags.forEach(function(item){
111
+ options.data.push({
112
+ id: item,
113
+ text: item
114
+ });
115
  });
116
+ options.tags = true;
117
+ }
118
+ return true;
119
+ }else{
120
+ return (jQuery(el).prop("tagName") !== "SELECT");
121
  }
 
 
 
122
  }
123
  };
124
 
129
  ToolsetCommon.toolset_select2ExecMethods = function(el, method, param){
130
  if(jQuery(el).data("toolset_select2")){
131
  var elm_id = jQuery(el).attr("id");
132
+ try{
133
+ switch(method){
134
+ case "val":
135
+ if(param !== undefined && param !== null){
136
+ jQuery(el).val(param).trigger("change");
137
+ }else{
138
+ return jQuery(el).val();
139
+ }
140
+ break;
141
+ case "enable":
142
+ jQuery(el).prop("disabled", !param);
143
+ break;
144
+ case "data":
145
+ jQuery(el).val(param.ID).trigger("change").trigger("toolset_select2:selecting");
146
+ break;
147
+ case "close":
148
+ if(jQuery(el).data("toolset_select2") != null && jQuery(el).data("toolset_select2") != undefined){
149
+ jQuery(el).toolset_select2_original("close");
150
+ }
151
+ break;
152
+ case "destory":
153
+ jQuery(el).removeClass("toolset_select2_converted");
154
+ jQuery(el).toolset_select2_original("destroy");
155
+ break;
156
+ default:
157
+ jQuery("#"+elm_id).toolset_select2_original(method, param);
158
+ break;
159
+ }
160
+ }catch(err){
161
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
162
  }
163
  }
164
  };
169
  ToolsetCommon.addSelect2RandomClassName = function(el) {
170
  var className = ("toolset_select2_prefix_" + (Math.round(Math.random() * (100000 - 99) + 99)).toString());
171
  jQuery(el).addClass(className);
172
+ jQuery(el).addClass("toolset_select2_converted");
173
  return className;
174
  };
175
 
library/toolset/toolset-common/res/lib/select2/select2.js CHANGED
@@ -5671,15 +5671,16 @@ Toolset_S2.define('jquery.toolset_select2',[
5671
  } else if (typeof options === 'string') {
5672
  var ret;
5673
  var args = Array.prototype.slice.call(arguments, 1);
5674
-
5675
  this.each(function () {
5676
  var instance = $(this).data('toolset_select2');
5677
 
5678
  if (instance == null && window.console && console.error) {
5679
- console.error(
5680
  'The toolset_select2(\'' + options + '\') method was called on an ' +
5681
  'element that is not using Select2.'
5682
  );
 
5683
  }
5684
 
5685
  ret = instance[options].apply(instance, args);
5671
  } else if (typeof options === 'string') {
5672
  var ret;
5673
  var args = Array.prototype.slice.call(arguments, 1);
5674
+ //TODO: the return statement and console.log instead of console error is our code
5675
  this.each(function () {
5676
  var instance = $(this).data('toolset_select2');
5677
 
5678
  if (instance == null && window.console && console.error) {
5679
+ console.log(
5680
  'The toolset_select2(\'' + options + '\') method was called on an ' +
5681
  'element that is not using Select2.'
5682
  );
5683
+ return;
5684
  }
5685
 
5686
  ret = instance[options].apply(instance, args);
library/toolset/toolset-common/toolset-common-loader.php CHANGED
@@ -5,11 +5,11 @@ if ( class_exists( 'Toolset_Common_Bootstrap' ) ) {
5
  };
6
 
7
  if( !defined('TOOLSET_VERSION') ){
8
- define('TOOLSET_VERSION', '2.2.2');
9
  }
10
 
11
  if ( ! defined('TOOLSET_COMMON_VERSION' ) ) {
12
- define( 'TOOLSET_COMMON_VERSION', '2.2.2' );
13
  }
14
 
15
  if ( ! defined('TOOLSET_COMMON_PATH' ) ) {
@@ -29,13 +29,32 @@ if ( ! function_exists( 'toolset_common_boostrap' ) ) {
29
  }
30
 
31
  /**
32
- * @TODO: there is no need to manipulate URL values for http/https if everyone uses plugins_url
33
- * additionally if this is somehow necessary it is enough to do $url = set_url_scheme( $url ) and the protocol
 
 
 
 
 
 
 
 
34
  * will be calculated by itself.
35
- * @TODO: only one constant is enough, no need of TOOLSET_COMMON_URL, TOOLSET_COMMON_PROTOCOL, TOOLSET_COMMON_FRONTEND_URL, TOOLSET_COMMON_FRONTEND_PROTOCOL
 
 
 
 
36
  * define('TOOLSET_COMMON_URL', set_url_scheme( $url ) ); covers everything
 
 
 
37
  */
38
  function toolset_common_set_constants_and_start( $url ) {
 
 
 
 
39
  if (
40
  is_ssl()
41
  || (
@@ -44,17 +63,17 @@ if ( ! function_exists( 'toolset_common_boostrap' ) ) {
44
  )
45
  ) {
46
  define( 'TOOLSET_COMMON_URL', str_replace( 'http://', 'https://', $url ) );
47
- define( 'TOOLSET_COMMON_PROTOCOL', 'https' );
48
  } else {
49
  define( 'TOOLSET_COMMON_URL', $url );
50
- define( 'TOOLSET_COMMON_PROTOCOL', 'http' );
51
- }
52
  if ( is_ssl() ) {
53
  define( 'TOOLSET_COMMON_FRONTEND_URL', TOOLSET_COMMON_URL );
54
- define( 'TOOLSET_COMMON_FRONTEND_PROTOCOL', 'https' );
55
  } else {
56
  define( 'TOOLSET_COMMON_FRONTEND_URL', str_replace( 'https://', 'http://', TOOLSET_COMMON_URL ) );
57
- define( 'TOOLSET_COMMON_FRONTEND_PROTOCOL', 'http' );
58
  }
59
  }
60
  // Load early
5
  };
6
 
7
  if( !defined('TOOLSET_VERSION') ){
8
+ define('TOOLSET_VERSION', '2.2.5');
9
  }
10
 
11
  if ( ! defined('TOOLSET_COMMON_VERSION' ) ) {
12
+ define( 'TOOLSET_COMMON_VERSION', '2.2.5' );
13
  }
14
 
15
  if ( ! defined('TOOLSET_COMMON_PATH' ) ) {
29
  }
30
 
31
  /**
32
+ * Set Toolset Common constants.
33
+ *
34
+ * TOOLSET_COMMON_URL Base URL for the Toolset Common instance. Note that is does not have a trailing slash.
35
+ * TOOLSET_COMMON_FRONTEND_URL Base frontend URL for the Toolset Common instance. Note that is does not have a trailing slash.
36
+ *
37
+ * TOOLSET_COMMON_PROTOCOL Deprecated.
38
+ * TOOLSET_COMMON_FRONTEND_PROTOCOL Deprecated.
39
+ *
40
+ * @TODO: there is no need to manipulate URL values for http/https if everyone uses plugins_url, but not everyone does, so:
41
+ * this is necessary, but it should be enough to do $url = set_url_scheme( $url ) and the protocol
42
  * will be calculated by itself.
43
+ * Note that set_url_scheme( $url ) takes care of FORCE_SSL_AMIN too:
44
+ * https://developer.wordpress.org/reference/functions/set_url_scheme/
45
+ *
46
+ * @TODO: no need of TOOLSET_COMMON_URL, TOOLSET_COMMON_PROTOCOL, TOOLSET_COMMON_FRONTEND_URL, TOOLSET_COMMON_FRONTEND_PROTOCOL
47
+ * In fact, TOOLSET_COMMON_PROTOCOL and TOOLSET_COMMON_FRONTEND_PROTOCOL are not used anywhere and I am maring them as deprecated.
48
  * define('TOOLSET_COMMON_URL', set_url_scheme( $url ) ); covers everything
49
+ * although there might be cases where an AJAX call is performed, hence happening on the backend,
50
+ * and we ned to build a frontend URL based on the Toolset Common URL, while they have different SSL schemas,
51
+ * so if possible, I would keep those two constants.
52
  */
53
  function toolset_common_set_constants_and_start( $url ) {
54
+
55
+ // Backwards compatibility: make sure that the URL constants do not include a trailing slash.
56
+ $url = untrailingslashit( $url );
57
+
58
  if (
59
  is_ssl()
60
  || (
63
  )
64
  ) {
65
  define( 'TOOLSET_COMMON_URL', str_replace( 'http://', 'https://', $url ) );
66
+ define( 'TOOLSET_COMMON_PROTOCOL', 'https' ); // DEPRECATED
67
  } else {
68
  define( 'TOOLSET_COMMON_URL', $url );
69
+ define( 'TOOLSET_COMMON_PROTOCOL', 'http' ); // DEPRECATED
70
+ }
71
  if ( is_ssl() ) {
72
  define( 'TOOLSET_COMMON_FRONTEND_URL', TOOLSET_COMMON_URL );
73
+ define( 'TOOLSET_COMMON_FRONTEND_PROTOCOL', 'https' ); // DEPRECATED
74
  } else {
75
  define( 'TOOLSET_COMMON_FRONTEND_URL', str_replace( 'https://', 'http://', TOOLSET_COMMON_URL ) );
76
+ define( 'TOOLSET_COMMON_FRONTEND_PROTOCOL', 'http' ); // DEPRECATED
77
  }
78
  }
79
  // Load early
library/toolset/toolset-common/toolset-forms/bootstrap.php CHANGED
@@ -132,20 +132,23 @@ class WPToolset_Forms_Bootstrap {
132
  * @since 1.5.0
133
  */
134
  public function wpt_suggest_taxonomy_term() {
 
135
  if (
136
  !isset($_REQUEST['q']) || $_REQUEST['q'] == ''
137
  ) {
138
  die();
139
  }
140
  global $wpdb;
 
141
  $values_to_prepare = array();
142
  if (function_exists("wpv_esc_like")) {
143
- $term_name = '%' . wpv_esc_like($_REQUEST['q']) . '%';
144
  } else {
145
  if (function_exists("cred_wrap_esc_like")) {
146
- $term_name = '%' . cred_wrap_esc_like($_REQUEST['q']) . '%';
147
  }
148
  }
 
149
  $values_to_prepare[] = $term_name;
150
 
151
  $tax_join = "";
@@ -155,23 +158,25 @@ class WPToolset_Forms_Bootstrap {
155
  ) {
156
  $tax_join = " JOIN {$wpdb->term_taxonomy} tt ON t.term_id = tt.term_id ";
157
  $tax_where = " AND tt.taxonomy = %s ";
158
- $values_to_prepare[] = $_REQUEST['taxonomy'];
159
 
160
  global $sitepress;
161
  if (isset($sitepress)) {
162
- if (isset($_GET['source_lang'])) {
163
- $src_lang = $_GET['source_lang'];
164
  } else {
165
  $src_lang = $sitepress->get_current_language();
166
  }
167
- if (isset($_GET['lang'])) {
168
- $lang = sanitize_text_field($_GET['lang']);
169
  } else {
170
  $lang = $src_lang;
171
  }
172
- $tax_where .= " AND t.term_id in (SELECT element_id from {$wpdb->prefix}icl_translations WHERE element_type = 'tax_{$_REQUEST['taxonomy']}' AND language_code = '{$lang}' ) ";
 
 
173
  }
174
- }
175
 
176
  $results = $wpdb->get_results(
177
  $wpdb->prepare(
@@ -182,7 +187,7 @@ class WPToolset_Forms_Bootstrap {
182
  LIMIT 5", $values_to_prepare
183
  )
184
  );
185
-
186
  foreach ($results as $row) {
187
  echo $row->name . "\n";
188
  }
132
  * @since 1.5.0
133
  */
134
  public function wpt_suggest_taxonomy_term() {
135
+
136
  if (
137
  !isset($_REQUEST['q']) || $_REQUEST['q'] == ''
138
  ) {
139
  die();
140
  }
141
  global $wpdb;
142
+ $_q = $_REQUEST['q'];
143
  $values_to_prepare = array();
144
  if (function_exists("wpv_esc_like")) {
145
+ $term_name = '%' . wpv_esc_like($_q) . '%';
146
  } else {
147
  if (function_exists("cred_wrap_esc_like")) {
148
+ $term_name = '%' . cred_wrap_esc_like($_q) . '%';
149
  }
150
  }
151
+
152
  $values_to_prepare[] = $term_name;
153
 
154
  $tax_join = "";
158
  ) {
159
  $tax_join = " JOIN {$wpdb->term_taxonomy} tt ON t.term_id = tt.term_id ";
160
  $tax_where = " AND tt.taxonomy = %s ";
161
+ $values_to_prepare[] = sanitize_text_field( $_REQUEST['taxonomy'] );
162
 
163
  global $sitepress;
164
  if (isset($sitepress)) {
165
+ if (isset($_REQUEST['source_lang'])) {
166
+ $src_lang = sanitize_text_field( $_REQUEST['source_lang'] );
167
  } else {
168
  $src_lang = $sitepress->get_current_language();
169
  }
170
+ if (isset($_REQUEST['lang'])) {
171
+ $lang = sanitize_text_field( $_REQUEST['lang'] );
172
  } else {
173
  $lang = $src_lang;
174
  }
175
+ $tax_where .= " AND t.term_id in (SELECT element_id from {$wpdb->prefix}icl_translations WHERE element_type = %s AND language_code = %s ) ";
176
+ $values_to_prepare[] = sanitize_text_field( "tax_" . $_REQUEST['taxonomy'] );
177
+ $values_to_prepare[] = $lang;
178
  }
179
+ }
180
 
181
  $results = $wpdb->get_results(
182
  $wpdb->prepare(
187
  LIMIT 5", $values_to_prepare
188
  )
189
  );
190
+
191
  foreach ($results as $row) {
192
  echo $row->name . "\n";
193
  }
library/toolset/toolset-common/toolset-forms/classes/class.date.scripts.php CHANGED
@@ -29,7 +29,7 @@ class WPToolset_Field_Date_Scripts
29
 
30
  $is_frontend = ( !is_admin() );
31
 
32
- $current_admin_page = isset( $_GET['page'] ) ? $_GET['page'] : null;
33
  $field_group_edit_pages = array( 'wpcf-edit-usermeta', 'wpcf-edit', 'wpcf-termmeta-edit' );
34
  $is_types_edit_page = in_array( $current_admin_page, $field_group_edit_pages );
35
 
29
 
30
  $is_frontend = ( !is_admin() );
31
 
32
+ $current_admin_page = isset( $_GET['page'] ) ? sanitize_text_field( $_GET['page'] ) : null;
33
  $field_group_edit_pages = array( 'wpcf-edit-usermeta', 'wpcf-edit', 'wpcf-termmeta-edit' );
34
  $is_types_edit_page = in_array( $current_admin_page, $field_group_edit_pages );
35
 
library/toolset/toolset-common/toolset-forms/classes/class.eforms.php CHANGED
@@ -1165,7 +1165,7 @@ class Enlimbo_Forms {
1165
  if ($element['#type'] == 'file') {
1166
  return $_FILES[$name]['tmp_name'];
1167
  }
1168
- return isset($_REQUEST[$name]) ? $_REQUEST[$name] : in_array($element['#type'], array('textfield', 'textarea')) ? '' : 0;
1169
  }
1170
 
1171
  $parts = explode('[', $name);
1165
  if ($element['#type'] == 'file') {
1166
  return $_FILES[$name]['tmp_name'];
1167
  }
1168
+ return isset($_REQUEST[$name]) ? sanitize_text_field( $_REQUEST[$name] ) : in_array($element['#type'], array('textfield', 'textarea')) ? '' : 0;
1169
  }
1170
 
1171
  $parts = explode('[', $name);
library/toolset/toolset-common/toolset-forms/classes/class.recaptcha.php CHANGED
@@ -26,7 +26,7 @@ class WPToolset_Field_Recaptcha extends WPToolset_Field_Textfield {
26
  $lang = substr(get_locale(), 0, 2);
27
  if (isset($sitepress)) {
28
  if (isset($_GET['source_lang'])) {
29
- $src_lang = $_GET['source_lang'];
30
  } else {
31
  $src_lang = $sitepress->get_current_language();
32
  }
26
  $lang = substr(get_locale(), 0, 2);
27
  if (isset($sitepress)) {
28
  if (isset($_GET['source_lang'])) {
29
+ $src_lang = sanitize_text_field( $_GET['source_lang'] );
30
  } else {
31
  $src_lang = $sitepress->get_current_language();
32
  }
library/toolset/toolset-common/toolset-forms/classes/submit.php CHANGED
@@ -54,7 +54,7 @@ $data = array();
54
  if (isset($_REQUEST['nonce']) && check_ajax_referer('ajax_nonce', 'nonce', false)) {
55
 
56
  if (isset($_POST['action']) && $_POST['action'] == 'delete' && isset($_POST['file'])) {
57
- $file = $_POST['file'];
58
  $id = isset($_POST['id']) ? (int) $_POST['id'] : 0;
59
 
60
  $data = array('result' => true);
54
  if (isset($_REQUEST['nonce']) && check_ajax_referer('ajax_nonce', 'nonce', false)) {
55
 
56
  if (isset($_POST['action']) && $_POST['action'] == 'delete' && isset($_POST['file'])) {
57
+ $file = esc_url_raw( $_POST['file'] );
58
  $id = isset($_POST['id']) ? (int) $_POST['id'] : 0;
59
 
60
  $data = array('result' => true);
library/toolset/toolset-common/user-editors/editor/screen/beaver/backend.php CHANGED
@@ -46,10 +46,10 @@ class Toolset_User_Editors_Editor_Screen_Beaver_Backend
46
  && isset( $_REQUEST['preview_slug'] )
47
  ) {
48
  $this->storeTemplateSettings(
49
- $_REQUEST['post_id'],
50
  $_REQUEST['template_path'],
51
- $_REQUEST['preview_domain'],
52
- $_REQUEST['preview_slug']
53
  );
54
  }
55
 
@@ -77,7 +77,7 @@ class Toolset_User_Editors_Editor_Screen_Beaver_Backend
77
  // ./backend.css
78
  wp_enqueue_style(
79
  'toolset-user-editors-beaver-style',
80
- TOOLSET_COMMON_URL . 'user-editors/editor/screen/beaver/backend.css',
81
  array(),
82
  TOOLSET_COMMON_VERSION
83
  );
@@ -85,7 +85,7 @@ class Toolset_User_Editors_Editor_Screen_Beaver_Backend
85
  // ./backend.js
86
  wp_enqueue_script(
87
  'toolset-user-editors-beaver-script',
88
- TOOLSET_COMMON_URL . 'user-editors/editor/screen/beaver/backend.js',
89
  array( 'jquery' ),
90
  TOOLSET_COMMON_VERSION,
91
  true
@@ -147,7 +147,7 @@ class Toolset_User_Editors_Editor_Screen_Beaver_Backend
147
  public function layoutTemplateRegisterAssets() {
148
  wp_register_script(
149
  'toolset-user-editors-beaver-layout-template-script',
150
- TOOLSET_COMMON_URL . 'user-editors/editor/screen/beaver/backend_layout_template.js',
151
  array( 'jquery', 'views-layout-template-js', 'underscore' ),
152
  TOOLSET_COMMON_VERSION,
153
  true
46
  && isset( $_REQUEST['preview_slug'] )
47
  ) {
48
  $this->storeTemplateSettings(
49
+ (int) $_REQUEST['post_id'],
50
  $_REQUEST['template_path'],
51
+ sanitize_text_field( $_REQUEST['preview_domain'] ),
52
+ sanitize_text_field( $_REQUEST['preview_slug'] )
53
  );
54
  }
55
 
77
  // ./backend.css
78
  wp_enqueue_style(
79
  'toolset-user-editors-beaver-style',
80
+ TOOLSET_COMMON_URL . '/user-editors/editor/screen/beaver/backend.css',
81
  array(),
82
  TOOLSET_COMMON_VERSION
83
  );
85
  // ./backend.js
86
  wp_enqueue_script(
87
  'toolset-user-editors-beaver-script',
88
+ TOOLSET_COMMON_URL . '/user-editors/editor/screen/beaver/backend.js',
89
  array( 'jquery' ),
90
  TOOLSET_COMMON_VERSION,
91
  true
147
  public function layoutTemplateRegisterAssets() {
148
  wp_register_script(
149
  'toolset-user-editors-beaver-layout-template-script',
150
+ TOOLSET_COMMON_URL . '/user-editors/editor/screen/beaver/backend_layout_template.js',
151
  array( 'jquery', 'views-layout-template-js', 'underscore' ),
152
  TOOLSET_COMMON_VERSION,
153
  true
library/toolset/toolset-common/user-editors/medium/content-template.php CHANGED
@@ -12,7 +12,7 @@ class Toolset_User_Editors_Medium_Content_Template
12
 
13
  public function __construct() {
14
  if( array_key_exists( 'ct_id', $_REQUEST ) )
15
- $this->id = $_REQUEST['ct_id'];
16
 
17
  if( $this->id && array_key_exists( 'ct_editor_choice', $_REQUEST ) )
18
  update_post_meta( $this->id, $this->option_name_editor_choice, sanitize_text_field( $_REQUEST['ct_editor_choice'] ) );
@@ -143,7 +143,7 @@ class Toolset_User_Editors_Medium_Content_Template
143
 
144
  // Make sure that the stored template path is in the allowed ones, or force it otherwise
145
  $allowed_paths = wp_list_pluck( $this->allowed_templates, 'path' );
146
- $current_template = get_post_meta( $_GET['ct_id'], $this->manager->getActiveEditor()->getOptionName(), true );
147
 
148
  if (
149
  isset( $_GET['ct_id'] )
@@ -161,8 +161,8 @@ class Toolset_User_Editors_Medium_Content_Template
161
  'preview_slug' => $first_allowed_template['slug']
162
  );
163
 
164
- update_post_meta( $_GET['ct_id'], $this->manager->getActiveEditor()->getOptionName(), $settings_to_store );
165
- $stored = get_post_meta( $_GET['ct_id'], $this->manager->getActiveEditor()->getOptionName(), true );
166
  }
167
 
168
  return $this->allowed_templates;
@@ -235,7 +235,7 @@ class Toolset_User_Editors_Medium_Content_Template
235
  $editors = $this->manager->getEditors();
236
 
237
  if( count( $editors ) > 1 ) {
238
- $admin_url = admin_url( 'admin.php?page=ct-editor&ct_id='.$_GET['ct_id'] );
239
 
240
  $editor_current = '';
241
  $editor_switch_buttons = array();
12
 
13
  public function __construct() {
14
  if( array_key_exists( 'ct_id', $_REQUEST ) )
15
+ $this->id = (int) $_REQUEST['ct_id'];
16
 
17
  if( $this->id && array_key_exists( 'ct_editor_choice', $_REQUEST ) )
18
  update_post_meta( $this->id, $this->option_name_editor_choice, sanitize_text_field( $_REQUEST['ct_editor_choice'] ) );
143
 
144
  // Make sure that the stored template path is in the allowed ones, or force it otherwise
145
  $allowed_paths = wp_list_pluck( $this->allowed_templates, 'path' );
146
+ $current_template = get_post_meta( (int) $_GET['ct_id'], $this->manager->getActiveEditor()->getOptionName(), true );
147
 
148
  if (
149
  isset( $_GET['ct_id'] )
161
  'preview_slug' => $first_allowed_template['slug']
162
  );
163
 
164
+ update_post_meta( (int) $_GET['ct_id'], $this->manager->getActiveEditor()->getOptionName(), $settings_to_store );
165
+ $stored = get_post_meta( (int) $_GET['ct_id'], $this->manager->getActiveEditor()->getOptionName(), true );
166
  }
167
 
168
  return $this->allowed_templates;
235
  $editors = $this->manager->getEditors();
236
 
237
  if( count( $editors ) > 1 ) {
238
+ $admin_url = admin_url( 'admin.php?page=ct-editor&ct_id='. (int) $_GET['ct_id'] );
239
 
240
  $editor_current = '';
241
  $editor_switch_buttons = array();
library/toolset/toolset-common/user-editors/medium/screen/content-template/backend.php CHANGED
@@ -12,7 +12,7 @@ class Toolset_User_Editors_Medium_Screen_Content_Template_Backend
12
  return false;
13
  }
14
 
15
- return $_REQUEST['ct_id'];
16
  }
17
 
18
  public function equivalentEditorScreenIsActive() {
12
  return false;
13
  }
14
 
15
+ return (int) $_REQUEST['ct_id'];
16
  }
17
 
18
  public function equivalentEditorScreenIsActive() {
library/toolset/toolset-common/user-editors/medium/screen/content-template/frontend-editor.php CHANGED
@@ -54,7 +54,7 @@ class Toolset_User_Editors_Medium_Screen_Content_Template_Frontend_Editor
54
  // ./backend.css
55
  wp_enqueue_style(
56
  'toolset-user-editors-ct-frontend-editor-style',
57
- TOOLSET_COMMON_URL . 'user-editors/medium/screen/content-template/frontend-editor.css',
58
  array(),
59
  TOOLSET_COMMON_VERSION
60
  );
@@ -62,7 +62,7 @@ class Toolset_User_Editors_Medium_Screen_Content_Template_Frontend_Editor
62
  // ./backend.js
63
  wp_enqueue_script(
64
  'toolset-user-editors-ct-frontend-editor-script',
65
- TOOLSET_COMMON_URL . 'user-editors/medium/screen/content-template/frontend-editor.js',
66
  array( 'jquery' ),
67
  TOOLSET_COMMON_VERSION,
68
  true
@@ -175,7 +175,7 @@ class Toolset_User_Editors_Medium_Screen_Content_Template_Frontend_Editor
175
  }
176
 
177
  if( isset( $_REQUEST['ct_id'] ) && isset( $_REQUEST['preview_post_id'] ) ) {
178
- $this->store_preview_post_id( $_REQUEST['ct_id'], $_REQUEST['preview_post_id'] );
179
  }
180
 
181
  die( 1 );
54
  // ./backend.css
55
  wp_enqueue_style(
56
  'toolset-user-editors-ct-frontend-editor-style',
57
+ TOOLSET_COMMON_URL . '/user-editors/medium/screen/content-template/frontend-editor.css',
58
  array(),
59
  TOOLSET_COMMON_VERSION
60
  );
62
  // ./backend.js
63
  wp_enqueue_script(
64
  'toolset-user-editors-ct-frontend-editor-script',
65
+ TOOLSET_COMMON_URL . '/user-editors/medium/screen/content-template/frontend-editor.js',
66
  array( 'jquery' ),
67
  TOOLSET_COMMON_VERSION,
68
  true
175
  }
176
 
177
  if( isset( $_REQUEST['ct_id'] ) && isset( $_REQUEST['preview_post_id'] ) ) {
178
+ $this->store_preview_post_id( (int) $_REQUEST['ct_id'], (int) $_REQUEST['preview_post_id'] );
179
  }
180
 
181
  die( 1 );
library/toolset/toolset-common/user-editors/resource/views/dialog/dialog.php CHANGED
@@ -88,7 +88,7 @@ class Toolset_User_Editors_Resource_Views_Dialog
88
 
89
  wp_enqueue_style(
90
  'toolset-user-editors-ressource-views-dialog',
91
- TOOLSET_COMMON_URL . 'user-editors/resource/views/dialog/dialog.css',
92
  array(),
93
  TOOLSET_COMMON_VERSION
94
  );
88
 
89
  wp_enqueue_style(
90
  'toolset-user-editors-ressource-views-dialog',
91
+ TOOLSET_COMMON_URL . '/user-editors/resource/views/dialog/dialog.css',
92
  array(),
93
  TOOLSET_COMMON_VERSION
94
  );
library/toolset/toolset-common/user-editors/resource/views/dialog/for-any-input.php CHANGED
@@ -43,14 +43,14 @@ class Toolset_User_Editors_Resource_Views_Dialog_For_Any_Input
43
  public function _actionScriptsAndStyles() {
44
  wp_enqueue_style(
45
  'toolset-user-editors-ressource-views-dialog-for-any-input',
46
- TOOLSET_COMMON_URL . 'user-editors/resource/views/dialog/for-any-input.css',
47
  array(),
48
  TOOLSET_COMMON_VERSION
49
  );
50
 
51
  wp_enqueue_script(
52
  'toolset-user-editors-ressource-views-dialog-for-any-input',
53
- TOOLSET_COMMON_URL . 'user-editors/resource/views/dialog/for-any-input.js',
54
  array( 'jquery' ),
55
  TOOLSET_COMMON_VERSION,
56
  true
43
  public function _actionScriptsAndStyles() {
44
  wp_enqueue_style(
45
  'toolset-user-editors-ressource-views-dialog-for-any-input',
46
+ TOOLSET_COMMON_URL . '/user-editors/resource/views/dialog/for-any-input.css',
47
  array(),
48
  TOOLSET_COMMON_VERSION
49
  );
50
 
51
  wp_enqueue_script(
52
  'toolset-user-editors-ressource-views-dialog-for-any-input',
53
+ TOOLSET_COMMON_URL . '/user-editors/resource/views/dialog/for-any-input.js',
54
  array( 'jquery' ),
55
  TOOLSET_COMMON_VERSION,
56
  true
library/toolset/toolset-common/utility/help-videos/toolset-help-videos.php CHANGED
@@ -22,7 +22,7 @@ if( !class_exists('Toolset_HelpVideo') ) {
22
 
23
  if (empty($arguments)) return;
24
 
25
- self::$current = isset($_REQUEST[self::KEY]) ? $_REQUEST[self::KEY] : null;
26
 
27
  if (self::$current === null) return;
28
 
22
 
23
  if (empty($arguments)) return;
24
 
25
+ self::$current = isset($_REQUEST[self::KEY]) ? sanitize_text_field( $_REQUEST[self::KEY] ) : null;
26
 
27
  if (self::$current === null) return;
28
 
library/toolset/types/admin.php CHANGED
@@ -49,7 +49,7 @@ if ( defined( 'DOING_AJAX' ) ) {
49
  // that post and user fields can use the same handler (which is originally meant for post fields only).
50
 
51
  // We don't have functions.php at this point, can't use wpcf_getpost().
52
- $current_page = isset( $_REQUEST['page'] ) ? $_REQUEST['page'] : Types_Admin_Edit_Custom_Fields_Group::PAGE_NAME;
53
  if( in_array( $current_page, array( Types_Admin_Edit_Custom_Fields_Group::PAGE_NAME, 'wpcf-edit-usermeta' ) ) ) {
54
  new Types_Admin_Edit_Custom_Fields_Group();
55
  }
@@ -175,7 +175,7 @@ function wpcf_admin_toolset_register_menu_pages( $pages ) {
175
 
176
  $current_page = '';
177
  if ( isset( $_GET['page'] ) ) {
178
- $current_page = $_GET['page'];
179
  }
180
 
181
  $pages['wpcf-cpt'] = array(
@@ -541,7 +541,7 @@ function wpcf_admin_menu_edit_fields()
541
  $post_type = current_filter();
542
  $title = __('View Post Field Group', 'wpcf');
543
  if ( isset( $_GET['group_id'] ) ) {
544
- if ( WPCF_Roles::user_can_edit('custom-field', array('id' => $_GET['group_id']))) {
545
  $title = __( 'Edit Post Field Group', 'wpcf' );
546
  $add_new = array(
547
  'page' => 'wpcf-edit',
49
  // that post and user fields can use the same handler (which is originally meant for post fields only).
50
 
51
  // We don't have functions.php at this point, can't use wpcf_getpost().
52
+ $current_page = isset( $_REQUEST['page'] ) ? sanitize_text_field( $_REQUEST['page'] ) : Types_Admin_Edit_Custom_Fields_Group::PAGE_NAME;
53
  if( in_array( $current_page, array( Types_Admin_Edit_Custom_Fields_Group::PAGE_NAME, 'wpcf-edit-usermeta' ) ) ) {
54
  new Types_Admin_Edit_Custom_Fields_Group();
55
  }
175
 
176
  $current_page = '';
177
  if ( isset( $_GET['page'] ) ) {
178
+ $current_page = sanitize_text_field( $_GET['page'] );
179
  }
180
 
181
  $pages['wpcf-cpt'] = array(
541
  $post_type = current_filter();
542
  $title = __('View Post Field Group', 'wpcf');
543
  if ( isset( $_GET['group_id'] ) ) {
544
+ if ( WPCF_Roles::user_can_edit('custom-field', array('id' => (int) $_GET['group_id']))) {
545
  $title = __( 'Edit Post Field Group', 'wpcf' );
546
  $add_new = array(
547
  'page' => 'wpcf-edit',
library/toolset/types/embedded/admin.php CHANGED
@@ -754,7 +754,7 @@ function wpcf_admin_get_edited_post_type( $post = null ) {
754
  $post_type = 'post';
755
  } else if ( in_array( $_GET['post_type'],
756
  get_post_types( array('show_ui' => true) ) ) ) {
757
- $post_type = $_GET['post_type'];
758
  } else {
759
  $post_type = 'post';
760
  }
754
  $post_type = 'post';
755
  } else if ( in_array( $_GET['post_type'],
756
  get_post_types( array('show_ui' => true) ) ) ) {
757
+ $post_type = sanitize_text_field( $_GET['post_type'] );
758
  } else {
759
  $post_type = 'post';
760
  }
library/toolset/types/embedded/classes/forms.php CHANGED
@@ -1118,7 +1118,7 @@ class Enlimbo_Forms_Wpcf
1118
  if ( $element['#type'] == 'file' ) {
1119
  return $_FILES[$name]['tmp_name'];
1120
  }
1121
- return isset( $_REQUEST[$name] ) ? $_REQUEST[$name] : in_array( $element['#type'],
1122
  array('textfield', 'textarea') ) ? '' : 0;
1123
  }
1124
 
1118
  if ( $element['#type'] == 'file' ) {
1119
  return $_FILES[$name]['tmp_name'];
1120
  }
1121
+ return isset( $_REQUEST[$name] ) ? sanitize_text_field( $_REQUEST[$name] ) : in_array( $element['#type'],
1122
  array('textfield', 'textarea') ) ? '' : 0;
1123
  }
1124
 
library/toolset/types/embedded/classes/gui/term_field_editing.php CHANGED
@@ -390,8 +390,8 @@ final class WPCF_GUI_Term_Field_Editing {
390
  */
391
  public function manage_term_listing_columns( $columns ) {
392
 
393
- $taxonomy_slug = wpcf_getget( 'taxonomy' );
394
  $factory = Types_Field_Group_Term_Factory::get_instance();
 
395
  $groups = $factory->get_groups_by_taxonomy( $taxonomy_slug );
396
 
397
  $columns_to_insert = array();
390
  */
391
  public function manage_term_listing_columns( $columns ) {
392
 
 
393
  $factory = Types_Field_Group_Term_Factory::get_instance();
394
+ $taxonomy_slug = sanitize_text_field( wpcf_getget( 'taxonomy' ) );
395
  $groups = $factory->get_groups_by_taxonomy( $taxonomy_slug );
396
 
397
  $columns_to_insert = array();
library/toolset/types/embedded/includes/ajax.php CHANGED
@@ -344,7 +344,7 @@ function wpcf_ajax_embedded() {
344
  case 'um_repetitive_add':
345
 
346
  if ( isset( $_GET['user_id'] ) ) {
347
- $user_id = $_GET['user_id'];
348
  } else {
349
  $user_id = wpcf_usermeta_get_user();
350
  }
@@ -494,7 +494,7 @@ function wpcf_ajax_embedded() {
494
  $args = array(
495
  'posts_per_page' => apply_filters( 'wpcf_pr_belongs_post_posts_per_page', $posts_per_page ),
496
  'post_status' => apply_filters( 'wpcf_pr_belongs_post_status', array( 'publish', 'private' ) ),
497
- 'post_type' => $_REQUEST['post_type'],
498
  'suppress_filters' => 1,
499
  );
500
 
@@ -544,7 +544,7 @@ function wpcf_ajax_embedded() {
544
 
545
  case 'wpcf_entry_entry':
546
  if( current_user_can( 'edit_posts' ) && isset($_REQUEST['p'])) {
547
- $wpcf_post = get_post($_REQUEST['p'], ARRAY_A);
548
  if ( isset($wpcf_post['ID']) ) {
549
  $post_title = $wpcf_post['post_title'];
550
  if ( empty($post_title) ) {
344
  case 'um_repetitive_add':
345
 
346
  if ( isset( $_GET['user_id'] ) ) {
347
+ $user_id = (int) $_GET['user_id'];
348
  } else {
349
  $user_id = wpcf_usermeta_get_user();
350
  }
494
  $args = array(
495
  'posts_per_page' => apply_filters( 'wpcf_pr_belongs_post_posts_per_page', $posts_per_page ),
496
  'post_status' => apply_filters( 'wpcf_pr_belongs_post_status', array( 'publish', 'private' ) ),
497
+ 'post_type' => sanitize_text_field( $_REQUEST['post_type'] ),
498
  'suppress_filters' => 1,
499
  );
500
 
544
 
545
  case 'wpcf_entry_entry':
546
  if( current_user_can( 'edit_posts' ) && isset($_REQUEST['p'])) {
547
+ $wpcf_post = get_post( (int) $_REQUEST['p'], ARRAY_A );
548
  if ( isset($wpcf_post['ID']) ) {
549
  $post_title = $wpcf_post['post_title'];
550
  if ( empty($post_title) ) {
library/toolset/types/embedded/includes/fields-post.php CHANGED
@@ -1586,7 +1586,7 @@ function wpcf_admin_post_get_post_groups_fields( $post = false, $context = 'grou
1586
  if ( !isset( $_GET['post_type'] ) ) {
1587
  $post_type = 'post';
1588
  } else if ( in_array( $_GET['post_type'], get_post_types( array('show_ui' => true) ) ) ) {
1589
- $post_type = $_GET['post_type'];
1590
  } else {
1591
  $post_type = 'post';
1592
  }
1586
  if ( !isset( $_GET['post_type'] ) ) {
1587
  $post_type = 'post';
1588
  } else if ( in_array( $_GET['post_type'], get_post_types( array('show_ui' => true) ) ) ) {
1589
+ $post_type = sanitize_text_field( $_GET['post_type'] );
1590
  } else {
1591
  $post_type = 'post';
1592
  }
library/toolset/types/embedded/includes/fields.php CHANGED
@@ -940,7 +940,7 @@ function wpcf_get_all_field_slugs_except_current_group( $current_group = false )
940
  }
941
  }
942
  if( !$current_group && isset( $_REQUEST['group_id'] ) )
943
- $current_group = $_REQUEST['group_id'];
944
 
945
  // if no new group
946
  if( $current_group && !empty( $all_fields ) ) {
940
  }
941
  }
942
  if( !$current_group && isset( $_REQUEST['group_id'] ) )
943
+ $current_group = (int) $_REQUEST['group_id'];
944
 
945
  // if no new group
946
  if( $current_group && !empty( $all_fields ) ) {
library/toolset/types/embedded/includes/module-manager.php CHANGED
@@ -27,7 +27,7 @@ function wpcf_module_inline_table_fields()
27
  _e('There is a problem with Module Manager', 'wpcf');
28
  return;
29
  }
30
- $group = wpcf_admin_fields_get_group($_GET['group_id']);
31
  if ( empty($group) ) {
32
  _e('Wrong group id.', 'wpcf');
33
  return;
27
  _e('There is a problem with Module Manager', 'wpcf');
28
  return;
29
  }
30
+ $group = wpcf_admin_fields_get_group( (int) $_GET['group_id'] );
31
  if ( empty($group) ) {
32
  _e('Wrong group id.', 'wpcf');
33
  return;
library/toolset/types/embedded/includes/post-relationship.php CHANGED
@@ -629,7 +629,7 @@ function wpcf_pr_admin_wpcf_relationship_check($keys_to_check = array())
629
  die(__('Sorry, something went wrong. The requested can not be completed.', 'wpcf'));
630
  }
631
  }
632
- $id = esc_attr(sprintf('wpcf_pr_belongs_%d_%s', $_REQUEST['post_id'], $_REQUEST['post_type']));
633
  if ( !wp_verify_nonce($_REQUEST['nounce'], $id) ) {
634
  die(__('Sorry, something went wrong. The requested can not be completed.', 'wpcf'));
635
  }
@@ -712,7 +712,7 @@ function wpcf_pr_admin_wpcf_relationship_search()
712
  function wpcf_pr_admin_wpcf_relationship_entry()
713
  {
714
  wpcf_pr_admin_wpcf_relationship_check(array('p'));
715
- $wpcf_post = get_post($_REQUEST['p'], ARRAY_A);
716
  /**
717
  * remove unnecessary data and add some necessary
718
  */
@@ -732,10 +732,10 @@ function wpcf_pr_admin_wpcf_relationship_entry()
732
  function wpcf_pr_admin_wpcf_relationship_delete()
733
  {
734
  wpcf_pr_admin_wpcf_relationship_check();
735
- delete_post_meta( $_REQUEST['post_id'], sprintf('_wpcf_belongs_%s_id', $_REQUEST['post_type']));
736
  echo json_encode(
737
  array(
738
- 'target' => sprintf('#wpcf_pr_belongs_%d_%s-wrapper', $_REQUEST['post_id'], $_REQUEST['post_type']),
739
  )
740
  );
741
  die;
@@ -745,7 +745,7 @@ function wpcf_pr_admin_wpcf_relationship_delete()
745
  function wpcf_pr_admin_wpcf_relationship_save()
746
  {
747
  wpcf_pr_admin_wpcf_relationship_check(array('p'));
748
- update_post_meta( $_REQUEST['post_id'], sprintf('_wpcf_belongs_%s_id', $_REQUEST['post_type']), intval($_REQUEST['p']));
749
  die;
750
  }
751
 
629
  die(__('Sorry, something went wrong. The requested can not be completed.', 'wpcf'));
630
  }
631
  }
632
+ $id = esc_attr(sprintf('wpcf_pr_belongs_%d_%s', (int) $_REQUEST['post_id'], sanitize_text_field( $_REQUEST['post_type'] )));
633
  if ( !wp_verify_nonce($_REQUEST['nounce'], $id) ) {
634
  die(__('Sorry, something went wrong. The requested can not be completed.', 'wpcf'));
635
  }
712
  function wpcf_pr_admin_wpcf_relationship_entry()
713
  {
714
  wpcf_pr_admin_wpcf_relationship_check(array('p'));
715
+ $wpcf_post = get_post( (int) $_REQUEST['p'], ARRAY_A);
716
  /**
717
  * remove unnecessary data and add some necessary
718
  */
732
  function wpcf_pr_admin_wpcf_relationship_delete()
733
  {
734
  wpcf_pr_admin_wpcf_relationship_check();
735
+ delete_post_meta( (int) $_REQUEST['post_id'], sprintf('_wpcf_belongs_%s_id', sanitize_text_field( $_REQUEST['post_type'] )));
736
  echo json_encode(
737
  array(
738
+ 'target' => sprintf('#wpcf_pr_belongs_%d_%s-wrapper', (int) $_REQUEST['post_id'], sanitize_text_field( $_REQUEST['post_type'] )),
739
  )
740
  );
741
  die;
745
  function wpcf_pr_admin_wpcf_relationship_save()
746
  {
747
  wpcf_pr_admin_wpcf_relationship_check(array('p'));
748
+ update_post_meta( (int) $_REQUEST['post_id'], sprintf('_wpcf_belongs_%s_id', sanitize_text_field( $_REQUEST['post_type'] )), intval($_REQUEST['p']));
749
  die;
750
  }
751
 
library/toolset/types/embedded/usermeta-init.php CHANGED
@@ -111,7 +111,7 @@ function wpcf_admin_menu_edit_user_fields()
111
  $post_type = current_filter();
112
  $title = __('View User Field Group', 'wpcf');
113
  if ( isset( $_GET['group_id'] ) ) {
114
- $item = wpcf_admin_get_user_field_group_by_id($_GET['group_id']);
115
  if ( WPCF_Roles::user_can_edit('user-meta-field', $item) ) {
116
  $title = __( 'Edit User Field Group', 'wpcf' );
117
  $add_new = array(
@@ -238,7 +238,7 @@ if ( !isset( $_GET['post_type'] ) && isset( $_GET['post'] ) ) {
238
  isset( $_GET['post_type'] )
239
  && in_array( $_GET['post_type'], get_post_types( array('show_ui' => true) ) )
240
  ) {
241
- $post_type = $_GET['post_type'];
242
  }
243
 
244
  /*
111
  $post_type = current_filter();
112
  $title = __('View User Field Group', 'wpcf');
113
  if ( isset( $_GET['group_id'] ) ) {
114
+ $item = wpcf_admin_get_user_field_group_by_id( (int) $_GET['group_id'] );
115
  if ( WPCF_Roles::user_can_edit('user-meta-field', $item) ) {
116
  $title = __( 'Edit User Field Group', 'wpcf' );
117
  $add_new = array(
238
  isset( $_GET['post_type'] )
239
  && in_array( $_GET['post_type'], get_post_types( array('show_ui' => true) ) )
240
  ) {
241
+ $post_type = sanitize_text_field( $_GET['post_type'] );
242
  }
243
 
244
  /*
library/toolset/types/help.php CHANGED
@@ -358,7 +358,7 @@ function wpcf_admin_help_add_tabs_load_hook() {
358
 
359
  $current_page = '';
360
  if ( isset( $_GET['page'] ) ) {
361
- $current_page = $_GET['page'];
362
  } else {
363
  return;
364
  }
358
 
359
  $current_page = '';
360
  if ( isset( $_GET['page'] ) ) {
361
+ $current_page = sanitize_text_field( $_GET['page'] );
362
  } else {
363
  return;
364
  }
library/toolset/types/includes/classes/class.types.admin.edit.fields.php CHANGED
@@ -599,7 +599,7 @@ abstract class Types_Admin_Edit_Fields extends Types_Admin_Page
599
  'data-wpcf-nonce' => wp_create_nonce('wpcf-edit-'.$this->ct['id']),
600
  // This can be wpcf-postmeta, wpcf-usermeta or wpcf-termmeta.
601
  'data-wpcf-type' => $this->type,
602
- 'data-wpcf-page' => wpcf_getget( 'page' )
603
  ),
604
  '_builtin' => true,
605
  '#name' => 'fields-button-add',
599
  'data-wpcf-nonce' => wp_create_nonce('wpcf-edit-'.$this->ct['id']),
600
  // This can be wpcf-postmeta, wpcf-usermeta or wpcf-termmeta.
601
  'data-wpcf-type' => $this->type,
602
+ 'data-wpcf-page' => esc_attr( wpcf_getget( 'page' ) )
603
  ),
604
  '_builtin' => true,
605
  '#name' => 'fields-button-add',
library/toolset/types/includes/classes/class.types.admin.edit.post.type.php CHANGED
@@ -1115,7 +1115,7 @@ class Types_Admin_Edit_Post_Type extends Types_Admin_Page
1115
  || $_GET['wpcf-post-type'] == 'page'
1116
  || $_GET['wpcf-post-type'] == 'attachment'
1117
  ) {
1118
- $data['slug'] = $_GET['wpcf-post-type'];
1119
  } else {
1120
  $data['slug'] = null;
1121
  }
@@ -2024,7 +2024,8 @@ class Types_Admin_Edit_Post_Type extends Types_Admin_Page
2024
  // get current post type
2025
  require_once WPCF_INC_ABSPATH.'/classes/class.types.admin.post-type.php';
2026
  $wpcf_post_type = new Types_Admin_Post_Type();
2027
- $custom_post_type = $wpcf_post_type->get_post_type($_GET['wpcf-post-type']);
 
2028
  if ( isset($custom_post_type['slug']) ) {
2029
  return $custom_post_type['slug'];
2030
  }
1115
  || $_GET['wpcf-post-type'] == 'page'
1116
  || $_GET['wpcf-post-type'] == 'attachment'
1117
  ) {
1118
+ $data['slug'] = sanitize_text_field( $_GET['wpcf-post-type'] );
1119
  } else {
1120
  $data['slug'] = null;
1121
  }
2024
  // get current post type
2025
  require_once WPCF_INC_ABSPATH.'/classes/class.types.admin.post-type.php';
2026
  $wpcf_post_type = new Types_Admin_Post_Type();
2027
+ $get_post_type_slug_from_request = sanitize_text_field( $_GET['wpcf-post-type'] );
2028
+ $custom_post_type = $wpcf_post_type->get_post_type($get_post_type_slug_from_request);
2029
  if ( isset($custom_post_type['slug']) ) {
2030
  return $custom_post_type['slug'];
2031
  }
library/toolset/types/includes/classes/class.types.admin.page.php CHANGED
@@ -262,13 +262,13 @@ abstract class Types_Admin_Page
262
  );
263
 
264
  if( isset( $_GET['group_id'] ) ) {
265
- $args['group_id'] = $_GET['group_id'];
266
- $args['wpcf_ajax_update'] = 'wpcf_list_ajax_response_'.$_GET['group_id'];
267
- $delete_id_addition = $_GET['group_id'];
268
  } else if( isset( $_GET['wpcf-tax'] ) ) {
269
- $args['wpcf-tax'] = $_GET['wpcf-tax'];
270
- $args['wpcf_ajax_update'] = 'wpcf_list_ajax_response_'.$_GET['wpcf-tax'];
271
- $delete_id_addition = $_GET['wpcf-tax'];
272
  }
273
 
274
  $args['wpcf_ref'] = isset( $_GET['ref'] )
@@ -480,7 +480,7 @@ abstract class Types_Admin_Page
480
  '#attributes' => array(
481
  'class' => 'js-wpcf-filter-button-edit wpcf-filter-button-edit',
482
  'data-wpcf-type' => esc_attr($type),
483
- 'data-wpcf-page' => wpcf_getget( 'page' ),
484
  'data-wpcf-nonce' => wp_create_nonce($type),
485
  ),
486
  '#inline' => true,
@@ -676,7 +676,7 @@ abstract class Types_Admin_Page
676
  if (isset($_REQUEST[$request_name]) ) {
677
  $post_types = get_option(WPCF_OPTION_NAME_CUSTOM_TYPES, array());
678
  if ( array_key_exists($_REQUEST[$request_name], $post_types) ) {
679
- $post_type = $_REQUEST[$request_name];
680
  }
681
  }
682
  return $post_type;
262
  );
263
 
264
  if( isset( $_GET['group_id'] ) ) {
265
+ $args['group_id'] = sanitize_text_field( $_GET['group_id'] );
266
+ $args['wpcf_ajax_update'] = 'wpcf_list_ajax_response_'.sanitize_text_field( $_GET['group_id'] );
267
+ $delete_id_addition = sanitize_text_field( $_GET['group_id'] );
268
  } else if( isset( $_GET['wpcf-tax'] ) ) {
269
+ $args['wpcf-tax'] = sanitize_text_field( $_GET['wpcf-tax'] );
270
+ $args['wpcf_ajax_update'] = 'wpcf_list_ajax_response_'.sanitize_text_field( $_GET['wpcf-tax'] );
271
+ $delete_id_addition = sanitize_text_field( $_GET['wpcf-tax'] );
272
  }
273
 
274
  $args['wpcf_ref'] = isset( $_GET['ref'] )
480
  '#attributes' => array(
481
  'class' => 'js-wpcf-filter-button-edit wpcf-filter-button-edit',
482
  'data-wpcf-type' => esc_attr($type),
483
+ 'data-wpcf-page' => esc_attr( wpcf_getget( 'page' ) ),
484
  'data-wpcf-nonce' => wp_create_nonce($type),
485
  ),
486
  '#inline' => true,
676
  if (isset($_REQUEST[$request_name]) ) {
677
  $post_types = get_option(WPCF_OPTION_NAME_CUSTOM_TYPES, array());
678
  if ( array_key_exists($_REQUEST[$request_name], $post_types) ) {
679
+ $post_type = sanitize_text_field( $_REQUEST[$request_name] );
680
  }
681
  }
682
  return $post_type;
library/toolset/types/includes/classes/class.types.admin.post.types.list.table.php CHANGED
@@ -316,7 +316,7 @@ class Types_Admin_Post_Types_List_Table extends WP_List_Table
316
  if (!empty($action)) {
317
  $nonce = '';
318
  if ( isset($_REQUEST['_wpnonce'] ) ) {
319
- $nonce = $_REQUEST['_wpnonce'];
320
  }
321
  if ( ! wp_verify_nonce( $nonce, 'bulk-posttypes' ) ) {
322
  die( 'Security check' );
316
  if (!empty($action)) {
317
  $nonce = '';
318
  if ( isset($_REQUEST['_wpnonce'] ) ) {
319
+ $nonce = sanitize_text_field( $_REQUEST['_wpnonce'] );
320
  }
321
  if ( ! wp_verify_nonce( $nonce, 'bulk-posttypes' ) ) {
322
  die( 'Security check' );
library/toolset/types/includes/classes/class.types.admin.usermeta.groups.list.table.php CHANGED
@@ -296,7 +296,7 @@ class Types_Admin_Usermeta_Groups_List_Table extends WP_List_Table
296
  if (!empty($action)) {
297
  $nonce = '';
298
  if ( isset($_REQUEST['_wpnonce'] ) ) {
299
- $nonce = $_REQUEST['_wpnonce'];
300
  }
301
  if ( !wp_verify_nonce($nonce, 'bulk-userfieldgroups')) {
302
  die( 'Security check' );
296
  if (!empty($action)) {
297
  $nonce = '';
298
  if ( isset($_REQUEST['_wpnonce'] ) ) {
299
+ $nonce = sanitize_text_field( $_REQUEST['_wpnonce'] );
300
  }
301
  if ( !wp_verify_nonce($nonce, 'bulk-userfieldgroups')) {
302
  die( 'Security check' );
library/toolset/types/includes/classes/class.types.admin.usermeta.table.php CHANGED
@@ -153,8 +153,8 @@ class Types_Admin_Usermeta_Control_Table extends WP_List_Table
153
  }
154
 
155
  // Order
156
- $orderby = isset($_REQUEST['orderby']) && !empty($_REQUEST['orderby'])? $_REQUEST['orderby']:'c';
157
- $order = isset($_REQUEST['order']) && !empty($_REQUEST['order'])? $_REQUEST['order']:'asc';
158
  $sort_matches = array(
159
  'c' => 'name',
160
  'g' => 'groups_txt',
153
  }
154
 
155
  // Order
156
+ $orderby = isset($_REQUEST['orderby']) && !empty($_REQUEST['orderby'])? sanitize_text_field( $_REQUEST['orderby'] ):'c';
157
+ $order = isset($_REQUEST['order']) && !empty($_REQUEST['order'])? sanitize_text_field( $_REQUEST['order'] ):'asc';
158
  $sort_matches = array(
159
  'c' => 'name',
160
  'g' => 'groups_txt',
library/toolset/types/includes/classes/class.wpcf.custom.fields.list.table.php CHANGED
@@ -327,7 +327,7 @@ class WPCF_Custom_Fields_List_Table extends WP_List_Table
327
  if (!empty($action)) {
328
  $nonce = '';
329
  if ( isset($_REQUEST['_wpnonce'] ) ) {
330
- $nonce = $_REQUEST['_wpnonce'];
331
  }
332
  if ( !wp_verify_nonce($nonce, 'bulk-customfieldgroups')) {
333
  die( 'Security check' );
327
  if (!empty($action)) {
328
  $nonce = '';
329
  if ( isset($_REQUEST['_wpnonce'] ) ) {
330
+ $nonce = sanitize_text_field( $_REQUEST['_wpnonce'] );
331
  }
332
  if ( !wp_verify_nonce($nonce, 'bulk-customfieldgroups')) {
333
  die( 'Security check' );
library/toolset/types/includes/classes/page/edit/termmeta_form.php CHANGED
@@ -64,7 +64,7 @@ final class WPCF_Page_Edit_Termmeta_Form extends Types_Admin_Edit_Fields {
64
  public function get_page_purpose() {
65
 
66
  $role_type = 'term-field';
67
- $group_id = wpcf_getget( 'group_id' );
68
  $is_group_specified = ( 0 != $group_id );
69
 
70
  if( $is_group_specified ) {
@@ -457,7 +457,7 @@ final class WPCF_Page_Edit_Termmeta_Form extends Types_Admin_Edit_Fields {
457
  $this->verification_failed_and_die( 2 );
458
  }
459
 
460
- // save group data to the database
461
  $group_id = wpcf_admin_fields_save_group( wpcf_getarr( $wpcf_data, 'group', array() ), Types_Field_Group_Term::POST_TYPE, 'term' );
462
  $field_group = $this->load_field_group( $group_id );
463
 
@@ -468,7 +468,7 @@ final class WPCF_Page_Edit_Termmeta_Form extends Types_Admin_Edit_Fields {
468
  // Why are we doing this?!
469
  $_REQUEST[ $this->get_id ] = $group_id;
470
 
471
- // save taxonomies
472
  $taxonomies_post = wpcf_getnest( $wpcf_data, array( 'group', 'taxonomies' ), array() );
473
  $field_group->update_associated_taxonomies( $taxonomies_post );
474
 
@@ -536,7 +536,7 @@ final class WPCF_Page_Edit_Termmeta_Form extends Types_Admin_Edit_Fields {
536
  }
537
  }
538
 
539
- $field['submit-key'] = $field_key;
540
 
541
  // Field ID and slug are same thing
542
  $field_slug = wpcf_admin_fields_save_field(
64
  public function get_page_purpose() {
65
 
66
  $role_type = 'term-field';
67
+ $group_id = (int) wpcf_getget( 'group_id' );
68
  $is_group_specified = ( 0 != $group_id );
69
 
70
  if( $is_group_specified ) {
457
  $this->verification_failed_and_die( 2 );
458
  }
459
 
460
+ // save group data to the database (sanitizing there)
461
  $group_id = wpcf_admin_fields_save_group( wpcf_getarr( $wpcf_data, 'group', array() ), Types_Field_Group_Term::POST_TYPE, 'term' );
462
  $field_group = $this->load_field_group( $group_id );
463
 
468
  // Why are we doing this?!
469
  $_REQUEST[ $this->get_id ] = $group_id;
470
 
471
+ // save taxonomies; sanitized on a lower level before saving to the database
472
  $taxonomies_post = wpcf_getnest( $wpcf_data, array( 'group', 'taxonomies' ), array() );
473
  $field_group->update_associated_taxonomies( $taxonomies_post );
474
 
536
  }
537
  }
538
 
539
+ $field['submit-key'] = sanitize_text_field( $field_key );
540
 
541
  // Field ID and slug are same thing
542
  $field_slug = wpcf_admin_fields_save_field(
library/toolset/types/includes/classes/page/listing/table.php CHANGED
@@ -1048,7 +1048,7 @@ class WPCF_Page_Listing_Table {
1048
  $current_url = remove_query_arg( 'paged', $current_url );
1049
 
1050
  if ( isset( $_GET['orderby'] ) ) {
1051
- $current_orderby = $_GET['orderby'];
1052
  } else {
1053
  $current_orderby = '';
1054
  }
1048
  $current_url = remove_query_arg( 'paged', $current_url );
1049
 
1050
  if ( isset( $_GET['orderby'] ) ) {
1051
+ $current_orderby = sanitize_text_field( $_GET['orderby'] );
1052
  } else {
1053
  $current_orderby = '';
1054
  }
library/toolset/types/includes/classes/page/listing/termmeta_table.php CHANGED
@@ -282,6 +282,8 @@ class WPCF_Page_Listing_Termmeta_Table extends WPCF_Page_Listing_Table {
282
 
283
  foreach ( $selected_field_group_ids as $field_group_id ) {
284
 
 
 
285
  if ( ! WPCF_Roles::user_can_edit( 'term-field', array( 'id' => $field_group_id ) ) ) {
286
  continue;
287
  }
282
 
283
  foreach ( $selected_field_group_ids as $field_group_id ) {
284
 
285
+ $field_group_id = (int) $field_group_id;
286
+
287
  if ( ! WPCF_Roles::user_can_edit( 'term-field', array( 'id' => $field_group_id ) ) ) {
288
  continue;
289
  }
library/toolset/types/wpcf.php CHANGED
@@ -143,12 +143,12 @@ function ajax_wpcf_is_reserved_name() {
143
 
144
  // slug
145
  $name = isset( $_POST['slug'] )
146
- ? $_POST['slug']
147
  : '';
148
 
149
  // context
150
  $context = isset( $_POST['context'] )
151
- ? $_POST['context']
152
  : false;
153
 
154
  // check also page slugs
@@ -162,11 +162,11 @@ function ajax_wpcf_is_reserved_name() {
162
 
163
  // for taxonomy
164
  if( $context == 'taxonomy' )
165
- $_POST['ct']['wpcf-tax'] = $_POST['slugPreSave'];
166
 
167
  // for post_type
168
  if( $context == 'post_type' )
169
- $_POST['ct']['wpcf-post-type'] = $_POST['slugPreSave'];
170
  }
171
 
172
  if( $context == 'post_type' || $context == 'taxonomy' ) {
@@ -590,7 +590,7 @@ function types_ajax_notice_dismiss_permanent() {
590
  ? get_user_meta( get_current_user_id(), '_types_notice_dismiss_permanent', true )
591
  : array();
592
 
593
- $user_dismissed_notices[] = $_POST['types_notice_dismiss_permanent'];
594
  update_user_meta( get_current_user_id(), '_types_notice_dismiss_permanent', $user_dismissed_notices );
595
  }
596
 
143
 
144
  // slug
145
  $name = isset( $_POST['slug'] )
146
+ ? sanitize_text_field( $_POST['slug'] )
147
  : '';
148
 
149
  // context
150
  $context = isset( $_POST['context'] )
151
+ ? sanitize_text_field( $_POST['context'] )
152
  : false;
153
 
154
  // check also page slugs
162
 
163
  // for taxonomy
164
  if( $context == 'taxonomy' )
165
+ $_POST['ct']['wpcf-tax'] = sanitize_text_field( $_POST['slugPreSave'] );
166
 
167
  // for post_type
168
  if( $context == 'post_type' )
169
+ $_POST['ct']['wpcf-post-type'] = sanitize_text_field( $_POST['slugPreSave'] );
170
  }
171
 
172
  if( $context == 'post_type' || $context == 'taxonomy' ) {
590
  ? get_user_meta( get_current_user_id(), '_types_notice_dismiss_permanent', true )
591
  : array();
592
 
593
+ $user_dismissed_notices[] = sanitize_text_field( $_POST['types_notice_dismiss_permanent'] );
594
  update_user_meta( get_current_user_id(), '_types_notice_dismiss_permanent', $user_dismissed_notices );
595
  }
596
 
readme.txt CHANGED
@@ -7,7 +7,7 @@ Domain Path: /embedded/locale
7
  License: GPLv2
8
  Requires at least: 3.7
9
  Tested up to: 4.6
10
- Stable tag: 2.2.1
11
 
12
  The complete and reliable plugin for managing custom post types, custom taxonomies and custom fields.
13
 
@@ -151,6 +151,9 @@ Additionally, Types is the only plugin that lets you define parent/child relatio
151
 
152
  == Changelog ==
153
 
 
 
 
154
  = 2.2.2 =
155
 
156
  * Toolset Dashboard now supports custom post types created by theme or other plugins
7
  License: GPLv2
8
  Requires at least: 3.7
9
  Tested up to: 4.6
10
+ Stable tag: 2.2.3
11
 
12
  The complete and reliable plugin for managing custom post types, custom taxonomies and custom fields.
13
 
151
 
152
  == Changelog ==
153
 
154
+ = 2.2.3 =
155
+ * Fixed several security issues.
156
+
157
  = 2.2.2 =
158
 
159
  * Toolset Dashboard now supports custom post types created by theme or other plugins
wpcf.php CHANGED
@@ -5,7 +5,7 @@ Plugin URI: http://wordpress.org/extend/plugins/types/
5
  Description: Toolset Types defines custom content in WordPress. Easily create custom post types, fields and taxonomy and connect everything together.
6
  Author: OnTheGoSystems
7
  Author URI: http://www.onthegosystems.com
8
- Version: 2.2.2
9
  License: GPLv2 or later
10
 
11
  Types is free software: you can redistribute it and/or modify
@@ -28,7 +28,7 @@ if( !function_exists( 'add_action' ) )
28
 
29
  // version
30
  if( ! defined( 'TYPES_VERSION' ) )
31
- define( 'TYPES_VERSION', '2.2.2' );
32
 
33
  // backward compatibility
34
  if ( ! defined( 'WPCF_VERSION' ) )
5
  Description: Toolset Types defines custom content in WordPress. Easily create custom post types, fields and taxonomy and connect everything together.
6
  Author: OnTheGoSystems
7
  Author URI: http://www.onthegosystems.com
8
+ Version: 2.2.3
9
  License: GPLv2 or later
10
 
11
  Types is free software: you can redistribute it and/or modify
28
 
29
  // version
30
  if( ! defined( 'TYPES_VERSION' ) )
31
+ define( 'TYPES_VERSION', '2.2.3' );
32
 
33
  // backward compatibility
34
  if ( ! defined( 'WPCF_VERSION' ) )