Skip to content

Commit 4c5b87a

Browse files
authored
Merge branch 'master' into fix/610-611-content-importer-security
2 parents f3c5327 + 1187c0f commit 4c5b87a

9 files changed

Lines changed: 1288 additions & 1031 deletions

File tree

.github/workflows/deploy.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,6 @@ jobs:
2929
with:
3030
generate-zip: true
3131
- name: Attest build provenance
32-
uses: johnbillion/action-wordpress-plugin-attestation@0.7.1
32+
uses: johnbillion/action-wordpress-plugin-attestation@0.7.2
3333
with:
3434
zip-path: ${{ steps.deploy.outputs.zip-path }}

includes/MslsFields.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ class MslsFields {
1515
const FIELD_MSLS_LANG = 'msls_lang';
1616
const FIELD_MSLS_IMPORT = 'msls_import';
1717
const FIELD_POST = 'post';
18+
const FIELD_SOURCE_ID = 'source_id';
1819

1920
const CONFIG = array(
2021
self::FIELD_BLOG_ID => array(
@@ -61,5 +62,9 @@ class MslsFields {
6162
INPUT_GET,
6263
FILTER_SANITIZE_NUMBER_INT,
6364
),
65+
self::FIELD_SOURCE_ID => array(
66+
INPUT_POST,
67+
FILTER_SANITIZE_NUMBER_INT,
68+
),
6469
);
6570
}

includes/MslsMetaBox.php

Lines changed: 24 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -68,8 +68,27 @@ public static function suggest(): void {
6868
restore_current_blog();
6969
}
7070

71-
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
72-
wp_die( $json->encode() );
71+
/**
72+
* Filters the suggest results before encoding
73+
*
74+
* @param array<int, array{value: int, label: string}> $results
75+
* @param array<string, mixed> $context
76+
*
77+
* @since 2.12.0
78+
*/
79+
$results = (array) apply_filters(
80+
'msls_meta_box_suggest_results',
81+
$json->get(),
82+
array(
83+
'blog_id' => MslsRequest::get_var( MslsFields::FIELD_BLOG_ID, INPUT_POST ),
84+
'post_type' => MslsRequest::get_var( MslsFields::FIELD_POST_TYPE, INPUT_POST ),
85+
's' => MslsRequest::get_var( MslsFields::FIELD_S, INPUT_POST ),
86+
'source_id' => MslsRequest::get_var( MslsFields::FIELD_SOURCE_ID, INPUT_POST ),
87+
)
88+
);
89+
90+
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
91+
wp_die( wp_json_encode( $results ) );
7392
}
7493

7594
/**
@@ -332,9 +351,10 @@ public function render_input(): void {
332351

333352
echo wp_kses(
334353
sprintf(
335-
'<ul>%s</ul><input type="hidden" name="msls_post_type" id="msls_post_type" value="%s"/><input type="hidden" name="msls_action" id="msls_action" value="suggest_posts"/>',
354+
'<ul>%s</ul><input type="hidden" name="msls_post_type" id="msls_post_type" value="%s"/><input type="hidden" name="msls_action" id="msls_action" value="suggest_posts"/><input type="hidden" name="msls_source_id" id="msls_source_id" value="%d"/>',
336355
$items,
337-
$post_type
356+
$post_type,
357+
$post->ID
338358
),
339359
Component::get_allowed_html()
340360
);

includes/MslsPostTag.php

Lines changed: 24 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,26 @@ public static function suggest(): void {
7272
restore_current_blog();
7373
}
7474

75-
wp_die( $json->encode() ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
75+
/**
76+
* Filters the suggest results before encoding
77+
*
78+
* @param array<int, array{value: int, label: string}> $results
79+
* @param array<string, mixed> $context
80+
*
81+
* @since 2.12.0
82+
*/
83+
$results = (array) apply_filters(
84+
'msls_post_tag_suggest_results',
85+
$json->get(),
86+
array(
87+
'blog_id' => MslsRequest::get_var( MslsFields::FIELD_BLOG_ID ),
88+
'taxonomy' => MslsRequest::get_var( MslsFields::FIELD_POST_TYPE ),
89+
's' => MslsRequest::get_var( MslsFields::FIELD_S ),
90+
'source_id' => MslsRequest::get_var( MslsFields::FIELD_SOURCE_ID ),
91+
)
92+
);
93+
94+
wp_die( wp_json_encode( $results ) ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
7695
}
7796

7897
public static function init(): void {
@@ -102,7 +121,8 @@ public function add_input( string $taxonomy ): void {
102121

103122
$title_format = '<h3>%s</h3>
104123
<input type="hidden" name="msls_post_type" id="msls_post_type" value="%s"/>
105-
<input type="hidden" name="msls_action" id="msls_action" value="suggest_terms"/>';
124+
<input type="hidden" name="msls_action" id="msls_action" value="suggest_terms"/>
125+
<input type="hidden" name="msls_source_id" id="msls_source_id" value="%d"/>';
106126

107127
$item_format = '<label for="msls_title_%1$d">%2$s</label>
108128
<input type="hidden" id="msls_id_%1$d" name="msls_input_%3$s" value="%4$s"/>
@@ -131,6 +151,7 @@ public function edit_input( \WP_Term $tag, string $taxonomy ): void {
131151
<strong>%s</strong>
132152
<input type="hidden" name="msls_post_type" id="msls_post_type" value="%s"/>
133153
<input type="hidden" name="msls_action" id="msls_action" value="suggest_terms"/>
154+
<input type="hidden" name="msls_source_id" id="msls_source_id" value="%d"/>
134155
</th>
135156
</tr>';
136157

@@ -172,7 +193,7 @@ public function the_input( ?\WP_Term $tag, string $title_format, string $item_fo
172193
$allowed_html = Component::get_allowed_html();
173194

174195
echo wp_kses(
175-
sprintf( $title_format, esc_html( $this->get_select_title() ), esc_attr( $type ) ),
196+
sprintf( $title_format, esc_html( $this->get_select_title() ), esc_attr( $type ), $term_id ),
176197
$allowed_html
177198
);
178199

0 commit comments

Comments
 (0)