Skip to content

Commit

Permalink
Security fix
Browse files Browse the repository at this point in the history
  • Loading branch information
inc2734 committed Mar 16, 2024
1 parent ac32883 commit 67cb6d7
Show file tree
Hide file tree
Showing 2 changed files with 166 additions and 109 deletions.
151 changes: 90 additions & 61 deletions classes/fields/class.field-related-posts.php
Original file line number Diff line number Diff line change
Expand Up @@ -77,56 +77,70 @@ public function admin_enqueue_scripts() {
*/
public function relational_posts_search() {
check_ajax_referer( SCF_Config::NAME . '-relation-post-types', 'nonce' );

$_posts = array();

$post_types = filter_input( INPUT_POST, 'post_types' );
if ( $post_types ) {
$post_type = explode( ',', $post_types );
$args = array(
'post_type' => $post_type,
'order' => 'ASC',
'orderby' => 'ID',
'posts_per_page' => -1,
'post_status' => 'any',
);
$post_type = explode( ',', $post_types );
$retrievable_post_types = array();

$click_count = filter_input( INPUT_POST, 'click_count' );
if ( $click_count ) {
$posts_per_page = get_option( 'posts_per_page' );
$offset = $click_count * $posts_per_page;
$args = array_merge(
$args,
array(
'offset' => $offset,
'posts_per_page' => $posts_per_page,
)
);
foreach ( $post_type as $_post_type ) {
$post_type_object = get_post_type_object( $_post_type );

if ( current_user_can( $post_type_object->cap->edit_posts ) ) {
$retrievable_post_types[] = $_post_type;
}
}

$s = filter_input( INPUT_POST, 's' );
if ( $s ) {
$args = array_merge(
$args,
array(
's' => $s,
)
if ( $retrievable_post_types ) {
$args = array(
'post_type' => $retrievable_post_types,
'order' => 'ASC',
'orderby' => 'ID',
'posts_per_page' => -1,
'post_status' => 'any',
);
}

$field_name = sanitize_text_field( filter_input( INPUT_POST, 'field_name' ) );
$click_count = filter_input( INPUT_POST, 'click_count' );
if ( $click_count ) {
$posts_per_page = get_option( 'posts_per_page' );
$offset = $click_count * $posts_per_page;
$args = array_merge(
$args,
array(
'offset' => $offset,
'posts_per_page' => $posts_per_page,
)
);
}

$s = filter_input( INPUT_POST, 's' );
if ( $s ) {
$args = array_merge(
$args,
array(
's' => $s,
)
);
}

$field_name = sanitize_text_field( filter_input( INPUT_POST, 'field_name' ) );

/**
* This filter will be always applied when it queries posts in related posts field.
*/
$args = apply_filters( SCF_Config::PREFIX . 'custom_related_posts_args', $args, $field_name, $post_type );
/**
* This filter will be always applied when it queries posts in related posts field.
*/
$args = apply_filters( SCF_Config::PREFIX . 'custom_related_posts_args', $args, $field_name, $post_type );

/**
* This filter will only be applied when getting posts via ajax call, therefore it won't be applied for the first load.
*/
$args = apply_filters( SCF_Config::PREFIX . 'custom_related_posts_args_ajax_call', $args, $field_name, $post_type );
/**
* This filter will only be applied when getting posts via ajax call, therefore it won't be applied for the first load.
*/
$args = apply_filters( SCF_Config::PREFIX . 'custom_related_posts_args_ajax_call', $args, $field_name, $post_type );

$_posts = get_posts( $args );
$_posts = get_posts( $args );
}
}

header( 'Content-Type: application/json; charset=utf-8' );
echo wp_json_encode( $_posts );
die();
Expand All @@ -144,33 +158,48 @@ public function get_field( $index, $value ) {
$disabled = $this->get_disable_attribute( $index );
$post_type = $this->get( 'post-type' );
$limit = $this->get( 'limit' );
if ( ! $post_type ) {
$post_type = array( 'post' );
}
if ( ! preg_match( '/^\d+$/', $limit ) ) {
$limit = '';
}

$choices_posts = array();
$posts_per_page = get_option( 'posts_per_page' );

$args = array(
'post_type' => $post_type,
'order' => 'ASC',
'orderby' => 'ID',
'posts_per_page' => $posts_per_page,
'post_status' => 'any',
);
if ( $post_type ) {
$retrievable_post_types = array();

foreach ( $post_type as $_post_type ) {
$post_type_object = get_post_type_object( $_post_type );

/**
* This filter will be always applied when it queries posts in related posts field.
*/
$args = apply_filters( SCF_Config::PREFIX . 'custom_related_posts_args', $args, $name, $post_type );
/**
* This filter will only be applied in the first load, therefore it won't be applied when getting posts via ajax call.
*/
$args = apply_filters( SCF_Config::PREFIX . 'custom_related_posts_args_first_load', $args, $name, $post_type );

// Get posts to show in the first load.
$choices_posts = get_posts( $args );
if ( current_user_can( $post_type_object->cap->edit_posts ) ) {
$retrievable_post_types[] = $_post_type;
}
}

if ( $retrievable_post_types ) {
if ( ! preg_match( '/^\d+$/', $limit ) ) {
$limit = '';
}

$args = array(
'post_type' => $retrievable_post_types,
'order' => 'ASC',
'orderby' => 'ID',
'posts_per_page' => $posts_per_page,
'post_status' => 'any',
);

/**
* This filter will be always applied when it queries posts in related posts field.
*/
$args = apply_filters( SCF_Config::PREFIX . 'custom_related_posts_args', $args, $name, $post_type );

/**
* This filter will only be applied in the first load, therefore it won't be applied when getting posts via ajax call.
*/
$args = apply_filters( SCF_Config::PREFIX . 'custom_related_posts_args_first_load', $args, $name, $post_type );

// Get posts to show in the first load.
$choices_posts = get_posts( $args );
}
}

$choices_li = array();
foreach ( $choices_posts as $_post ) {
Expand Down
124 changes: 76 additions & 48 deletions classes/fields/class.field-related-terms.php
Original file line number Diff line number Diff line change
Expand Up @@ -77,46 +77,59 @@ public function admin_enqueue_scripts() {
*/
public function relational_terms_search() {
check_ajax_referer( SCF_Config::NAME . '-relation-taxonomies', 'nonce' );

$_terms = array();
$args = array();

$taxonomies = filter_input( INPUT_POST, 'taxonomies' );
if ( $taxonomies ) {
$taxonomies = explode( ',', $taxonomies );
$args = array(
'taxonomy' => $taxonomies,
'order' => 'ASC',
'orderby' => 'ID',
'number' => '',
'hide_empty' => false,
'hierarchical' => false,
);
$taxonomies = explode( ',', $taxonomies );
$retrievable_taxonomies = array();

$click_count = filter_input( INPUT_POST, 'click_count' );
if ( $click_count ) {
$number = get_option( 'posts_per_page' );
$offset = $click_count * $number;
$args = array_merge(
$args,
array(
'offset' => $offset,
'number' => $number,
)
);
foreach ( $taxonomies as $_taxonomy ) {
$tax = get_taxonomy( $_taxonomy );

if ( current_user_can( $tax->cap->manage_terms ) ) {
$retrievable_taxonomies[] = $_taxonomy;
}
}

$search = filter_input( INPUT_POST, 'search' );
if ( $search ) {
$args = array_merge(
$args,
array(
'search' => $search,
)
if ( $retrievable_taxonomies ) {
$args = array(
'taxonomy' => $retrievable_taxonomies,
'order' => 'ASC',
'orderby' => 'ID',
'number' => '',
'hide_empty' => false,
'hierarchical' => false,
);
}

$_terms = get_terms( $args );
$click_count = filter_input( INPUT_POST, 'click_count' );
if ( $click_count ) {
$number = get_option( 'posts_per_page' );
$offset = $click_count * $number;
$args = array_merge(
$args,
array(
'offset' => $offset,
'number' => $number,
)
);
}

$search = filter_input( INPUT_POST, 'search' );
if ( $search ) {
$args = array_merge(
$args,
array(
'search' => $search,
)
);
}

$_terms = get_terms( $args );
}
}

header( 'Content-Type: application/json; charset=utf-8' );
echo wp_json_encode( $_terms );
die();
Expand All @@ -134,26 +147,41 @@ public function get_field( $index, $value ) {
$disabled = $this->get_disable_attribute( $index );
$taxonomies = $this->get( 'taxonomy' );
$limit = $this->get( 'limit' );
if ( ! $taxonomies ) {
$taxonomies = array( 'category' );
}
if ( ! preg_match( '/^\d+$/', $limit ) ) {
$limit = '';

$choices_terms = array();
$number = get_option( 'posts_per_page' );

if ( $taxonomies ) {
$retrievable_taxonomies = array();

foreach ( $taxonomies as $_taxonomy ) {
$tax = get_taxonomy( $_taxonomy );

if ( current_user_can( $tax->cap->manage_terms ) ) {
$retrievable_taxonomies[] = $_taxonomy;
}
}

if ( $retrievable_taxonomies ) {
if ( ! preg_match( '/^\d+$/', $limit ) ) {
$limit = '';
}

// choicse
$choices_terms = get_terms(
array(
'taxonomy' => $taxonomies,
'order' => 'ASC',
'orderby' => 'ID',
'hide_empty' => false,
'hierarchical' => false,
'number' => $number,
)
);
}
}
$number = get_option( 'posts_per_page' );

// choicse
$choices_terms = get_terms(
array(
'taxonomy' => $taxonomies,
'order' => 'ASC',
'orderby' => 'ID',
'hide_empty' => false,
'hierarchical' => false,
'number' => $number,
)
);
$choices_li = array();
$choices_li = array();
foreach ( $choices_terms as $_term ) {
$term_name = $_term->name;
if ( empty( $term_name ) ) {
Expand Down

0 comments on commit 67cb6d7

Please sign in to comment.