fix: add guard before sanitizing (#9)

* fix: downgrading and upgrading multiple times should migrate

* chore: updated readme

* chore: dont' exclude pro in search

* build: added file renaming for premium build

* chore: updated readme screenshots

* chore: updated plugin name to be more descriptive

* chore: updated description

* fix: conflict with others that use freemius activation

* chore: updated readme

* chore: updated readme

* chore: version bumped to 1.3.1

* chore: updated plugin name and readme info

* chore: updated tested up to

* Added sanitization and security for users without unfiltered_html capability

* chore: updated version number and changelog

* fix: add guard before sanitizing

* allow dynamic help to be included

* Apply suggestions from code review

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* fix: add checking of html and attribute to Interact_Abstract_Action_Type

* test: updated build workflow

* added suffix to version

---------

Co-authored-by: bfintal@gmail.com <>
Co-authored-by: Benjamin Intal <bfintal@gmail.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: 3 people

.github/workflows/plugin-build.yml

@@ -2,9 +2,9 @@ name: Plugin Build
 
 on:
   push:
-    branches: [ master, main ]
+    branches: [ master, develop ]
   pull_request:
-    branches: [ master, main ]
+    branches: [ master, develop ]
 
 jobs:
   build:

.vscode/settings.json

@@ -40,5 +40,8 @@
 		"editor.codeActionsOnSave": {
 			"source.fixAll.stylelint": "never"
 		}
+	},
+	"search.exclude": {
+		"**/pro__premium_only": false
 	}
 }

interactions.php

@@ -7,7 +7,7 @@
  * Author URI: http://gambit.ph
  * License: GPLv2 or later
  * Text Domain: interactions
- * Version: 1.3.0
+ * Version: 1.3.2
  *
  * @fs_premium_only /freemius.php, /freemius/
  */
@@ -18,7 +18,7 @@
 }
 
 defined( 'INTERACT_BUILD' ) || define( 'INTERACT_BUILD', 'free' );
-defined( 'INTERACT_VERSION' ) || define( 'INTERACT_VERSION', '1.3.0' );
+defined( 'INTERACT_VERSION' ) || define( 'INTERACT_VERSION', '1.3.2' );
 defined( 'INTERACT_FILE' ) || define( 'INTERACT_FILE', __FILE__ );
 
 /**
@@ -31,8 +31,8 @@ function interact_on_activation() {
 		// Run migration if version not set or outdated
 		if ( ! $saved_version || version_compare( $saved_version, INTERACT_VERSION, '<' ) ) {
 			do_action( 'interact/on_plugin_update', $saved_version, INTERACT_VERSION );
-			update_option( 'interact_plugin_version', INTERACT_VERSION );
 		}
+		update_option( 'interact_plugin_version', INTERACT_VERSION );
 	}
 }
 register_activation_hook( __FILE__, 'interact_on_activation' );

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "interactions",
-	"version": "1.3.0",
+	"version": "1.3.2",
 	"description": "Make your blocks interactive! Effortlessly set triggers that do actions",
 	"author": "Benjamin Intal of Gambit",
 	"private": true,

readme.txt

@@ -1,33 +1,34 @@
-=== Interactions ===
+=== Interactions - Create Interactive Experiences in the Block Editor ===
 Contributors: bfintal, gambitph
 Tags: interaction, interactivity, trigger, blocks, gutenberg
-Requires at least: 6.6.4
-Tested up to: 6.8.3
+Requires at least: 6.7.4
+Tested up to: 6.9
 Requires PHP: 8.0
-Stable tag: 1.3.0
+Stable tag: 1.3.2
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
 Add animations and interactivity to your blocks. Choose from ready-made effects like scroll & hover in the Interactions Library, or build your own.
 
 == Description ==
 
-**Interactions – WordPress Animations, Effects & Functionality for Gutenberg Blocks**  
+**Interactions – WordPress Animations, Interactive Experiences for Gutenberg Blocks**
 
-Want to make your website feel alive and interactive? **Interactions** is the easiest way to add animations, effects, interactivity, and functional features to WordPress — directly inside the block editor.  
+[Visit our website](https://wpinteractions.com) to learn more about how Interactions work.
+
+Want to make your website feel alive and interactive? **Interactions** is the easiest way to add animations, effects, interactivity, and functional features to WordPress — directly inside the block editor. Check our [samples page here](https://wpinteractions.com/samples/) to see a glimpse of what type of interactions you can create. 
 
 You don't need coding skills or complex tools. With Interactions, you can:
 
-- **Pick from the Interactions Library** – A collection of pre-built animations and effects (like images that move upon scrolling down the page, buttons that glow when hovered, and more). Just click and apply.
-- **Build your own custom effects** – Use a simple **Trigger → Action** system. Example: "On scroll → Fade in block", or "On click → Play video".
-- **Add functional features** – Securely update post data, handle form submissions, display user info, copy text to clipboard, and more without coding.
+- **Pick from the [Interactions Library](https://docs.wpinteractions.com/article/744-how-to-use-interactions-library)** – A collection of pre-built animations and effects (like images that move upon scrolling down the page, buttons that glow when hovered, and more). Just click and apply. [Learn more](https://docs.wpinteractions.com/article/744-how-to-use-interactions-library)
+- **Build your own custom effects** – Use a simple **Trigger → Action** system. Example: "On scroll → Fade in block", or "On click → Play video". [Learn more](https://docs.wpinteractions.com/article/577-what-is-wp-interactions-and-how-does-it-work)
+- **Add functional features** – Securely update post data, handle form submissions, display user info, copy text to clipboard, and more without coding. [Learn more](https://docs.wpinteractions.com/category/729-interactions)
 
-Whether you want subtle hover effects, attention-grabbing story-telling animations, playful micro-interactions, or powerful functional features, Interactions makes it possible.
+Whether you want subtle hover effects, attention-grabbing story-telling animations, playful micro-interactions, or powerful functional features, [Interactions](https://wpinteractions.com) makes it possible.
 
 ### 🚀 Features
 
-Create custom interactions easily with a simple Trigger → Action builder. Features include:
-
+Create [custom interactions](https://docs.wpinteractions.com/article/571-what-are-interactions) easily with a simple Trigger → Action builder. Features include:
 
 **Animations & Visual Effects:**
 
@@ -70,6 +71,8 @@ Create custom interactions easily with a simple Trigger → Action builder. Feat
 
 ### 💎 What's in Premium?
 
+[Check our pricing page](https://wpinteractions.com/pricing/) to learn more about what's in Interactions premium.
+
 **Advanced Interactions:**
 
 - **Scroll Strength** – Measure scroll intensity
@@ -98,6 +101,11 @@ Create custom interactions easily with a simple Trigger → Action builder. Feat
 - **Regular Updates** – New features and improvements
 - **Commercial License** – Use in client projects
 
+**Source Code:**
+
+The source code for this plugin is available on GitHub:
+https://github.com/gambitph/Interactions
+
 == Installation ==
 
 1. Install “Interactions” from the WordPress Plugin Directory, or upload it to `/wp-content/plugins/interactions/`.
@@ -133,23 +141,32 @@ The free version includes basic animations and interactions. Premium adds advanc
 
 == Screenshots ==
 
-1. Interaction Library – Pre-built animations and effects.
+1. Adding from the Interaction Library – Pre-built animations and effects.
 2. Advanced trigger and action timeline builder – Create custom interactions with flexible logic and multiple steps.
+3. Interaction Library contents – Pre-built animations and effects.
 
-== Source ==
-
-The source code for this plugin is available on GitHub:
-https://github.com/gambitph/Interactions
+== Upgrade Notice ==
 
 == Changelog ==
 
+= 1.3.2 =
+
+* Fixed: Added restrictions for users without unfiltered_html capabilities
+* Fixed: Added additional input sanitization
+
+= 1.3.1 =
+
+* Fixed: Updated readme info
+* Fixed: Updated long name in the plugins page
+* Fixed: License activation issue
+
 = 1.3.0 =
 
 * New: Interaction library
-* New: Initial release in the WordPress Plugin Directory!
 * New: Block name field is now searchable #70
 * New: Import / export functionality #71
 * New: Box shadow action #81
+* New: 3D Rotate - new transform origin option
 * Fixed: Hover interaction glitches when hovering too fast #9
 * Fixed: On enter viewport doesn't always trigger when on mobile #23
 * Fixed: Confetti action - selecting window will no longer show a display target warning message #74

scripts/package.js

@@ -292,6 +292,34 @@ function cleanupEmptyDirectories( dir ) {
 	}
 }
 
+function updatePluginHeaderVersion( buildDir, suffix ) {
+	if ( ! suffix ) {
+		return
+	}
+
+	const pluginFileName = IS_PREMIUM_BUILD ? 'plugin.php' : 'interactions.php'
+	const pluginFilePath = path.join( buildDir, pluginFileName )
+
+	if ( ! fs.existsSync( pluginFilePath ) ) {
+		return
+	}
+
+	let content = fs.readFileSync( pluginFilePath, 'utf8' )
+	// Append folder suffix to version in plugin header
+	content = content.replace(
+		/^(\s*\*\s*Version:\s*)([^\r\n]+)/m,
+		( match, prefix, version ) => {
+			// Only append if suffix is not already present
+			if ( ! version.includes( suffix ) ) {
+				return prefix + version + '-' + suffix
+			}
+			return match
+		}
+	)
+	fs.writeFileSync( pluginFilePath, content )
+	console.log( `📝 Updated version in ${ pluginFileName } to include suffix: ${ suffix }` )
+}
+
 async function packagePlugin() {
 	console.log( '🚀 Starting plugin packaging...' )
 	console.log( `📦 Build type: ${ IS_PREMIUM_BUILD ? 'Premium' : 'Free' }` )
@@ -312,6 +340,16 @@ async function packagePlugin() {
 		}
 	}
 
+	// Rename interactions.php to plugin.php for premium builds only
+	if ( IS_PREMIUM_BUILD ) {
+		const oldPath = path.join( BUILD_DIR, 'interactions.php' )
+		const newPath = path.join( BUILD_DIR, 'plugin.php' )
+		if ( fs.existsSync( oldPath ) ) {
+			fs.renameSync( oldPath, newPath )
+			console.log( '📝 Renamed interactions.php to plugin.php for premium build' )
+		}
+	}
+
 	console.log( '📁 Copying source directories...' )
 	// Pass isSrcRoot = true for the top-level src folder
 	copyDir( 'src', path.join( BUILD_DIR, 'src' ), true )
@@ -322,6 +360,9 @@ async function packagePlugin() {
 	console.log( '🔒 Adding security index.php files...' )
 	addSecurityFiles( BUILD_DIR )
 
+	console.log( '📝 Updating plugin header version...' )
+	updatePluginHeaderVersion( BUILD_DIR, folderSuffix )
+
 	console.log( '🧹 Cleaning up empty directories...' )
 	cleanupEmptyDirectories( BUILD_DIR )
 

src/action-types/abstract-action-type.php

@@ -256,5 +256,155 @@ public function initilize_action( $action, $animation_data ) {
 
 			return $action;
 		}
+
+		/**
+		 * Sanitizes the action's value before saving.
+		 *
+		 * Override this in a child class to implement specific sanitization.
+		 *
+		 * @param mixed $value The action value to sanitize.
+		 * @return mixed The sanitized action value.
+		 */
+		public function sanitize_data_for_saving( $value ) {
+			// By default, no sanitization is applied.
+			return $value;
+		}
+
+		/**
+		 * Remove any `expression(...)` and `javascript:` content from a CSS style string for security.
+		 *
+		 * @param string $string
+		 * @return string
+		 */
+		public function sanitize_style_value( $string ) {
+			if ( ! is_string( $string ) ) {
+				return $string;
+			}
+			// Remove all expression(...) (case-insensitive).
+			$string = preg_replace( '/expression\s*\((?:[^\(\)]|(?R))*\)/i', '', $string );
+
+			// Remove all javascript: URIs (case-insensitive).
+			$string = preg_replace( '/javascript\s*:/i', '', $string );
+
+			return $string;
+		}
+
+		/**
+		 * Detect if an HTML tag is considered dangerous (can execute scripts or
+		 * otherwise modify page behavior).
+		 *
+		 * @param string $tag_name
+		 * @return bool
+		 */
+		public function is_dangerous_tag( $tag_name ) {
+			if ( empty( $tag_name ) || ! is_string( $tag_name ) ) {
+				return false;
+			}
+
+			$tag_name = strtolower( trim( $tag_name ) );
+
+			// Tags that can execute scripts or modify page behavior
+			$dangerous_tags = [
+				'script',
+				'iframe',
+				'object',
+				'embed',
+				'applet',
+				'meta',
+				'link',
+				'style',
+				'base',
+				'form',
+			];
+
+			return in_array( $tag_name, $dangerous_tags, true );
+		}
+
+		/**
+		 * Detect if an HTML attribute is considered dangerous (event handlers,
+		 * attributes that can contain JS URIs, form actions, etc.).
+		 *
+		 * @param string $attribute_name
+		 * @return bool
+		 */
+		public function is_dangerous_attribute( $attribute_name ) {
+			if ( empty( $attribute_name ) || ! is_string( $attribute_name ) ) {
+				return false;
+			}
+
+			$attribute_name = strtolower( trim( $attribute_name ) );
+
+			// Event handler attributes (onclick, onerror, onload, etc.)
+			if ( preg_match( '/^on[a-z]+/', $attribute_name ) ) {
+				return true;
+			}
+
+			// Attributes that can contain JavaScript URIs or code
+			$dangerous_attributes = [
+				'href',
+				'src',
+				'action',
+				'formaction',
+				'form',
+				'formmethod',
+				'formtarget',
+			];
+
+			return in_array( $attribute_name, $dangerous_attributes, true );
+		}
+
+		/**
+		 * Validate an HTML snippet for dangerous tags, attributes or protocols.
+		 * Returns true when safe, or a WP_Error describing the violation.
+		 *
+		 * @param string $html
+		 * @return true|WP_Error
+		 */
+		public function validate_html_for_saving( $html ) {
+			if ( ! is_string( $html ) ) {
+				return new WP_Error(
+					'invalid_html',
+					__( 'HTML must be a string.', 'interactions' )
+				);
+			}
+
+			// Detect dangerous tags
+			if ( preg_match_all( '/<\s*([a-z0-9\-]+)/i', $html, $matches ) ) {
+				foreach ( $matches[1] as $tag ) {
+					if ( $this->is_dangerous_tag( $tag ) ) {
+						return new WP_Error(
+							'invalid_tag',
+							sprintf( __( 'The HTML tag "%s" is not allowed.', 'interactions' ), esc_html( $tag ) )
+						);
+					}
+				}
+			}
+
+			// Detect dangerous attributes
+			if ( preg_match_all( '/<[^>]+>/i', $html, $tagMatches ) ) {
+				foreach ( $tagMatches[0] as $tagString ) {
+					if ( preg_match_all( '/([a-zA-Z0-9:\-]+)\s*=\s*(?:"[^"]*"|\'[^\']*\'|[^\s>]+)/i', $tagString, $attrMatches ) ) {
+						foreach ( $attrMatches[1] as $attr ) {
+							if ( $this->is_dangerous_attribute( $attr ) ) {
+								return new WP_Error(
+									'invalid_attribute',
+									sprintf( __( 'The HTML attribute "%s" is not allowed.', 'interactions' ), esc_html( $attr ) )
+								);
+							}
+						}
+					}
+				}
+			}
+
+			// Detect disallowed protocols
+			if ( preg_match( '/javascript:\s*/i', $html ) || preg_match( '/data:\s*text\//i', $html ) ) {
+				return new WP_Error(
+					'invalid_protocol',
+					__( 'The HTML contains disallowed protocols (javascript: or data:).', 'interactions' )
+				);
+			}
+
+			return true;
+		}
 	}
 }

src/action-types/class-action-type-background-color.php

@@ -52,6 +52,13 @@ public function initialize() {
 
 		// 	return parent::initilize_action( $action, $animation_data );
 		// }
+
+		public function sanitize_data_for_saving( $value ) {
+			if ( is_array( $value ) && isset( $value['color'] ) ) {
+				$value['color'] = $this->sanitize_style_value( $value['color'] );
+			}
+			return $value;
+		}
 	}
 
 	interact_add_action_type( 'backgroundColor', 'Interact_Action_Type_Background_Color' );