Merge pull request #70 from dartiss/develop

Version 2.4

Author: dartiss

includes/meta-box.php

@@ -0,0 +1,37 @@
+<?php
+/**
+ * Meta boxes
+ *
+ * Functions related to meta-box management.
+ *
+ * @package simple-embed-code
+ */
+
+// Exit if accessed directly.
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+/**
+ * Remove Custom Fields
+ *
+ * Remove the custom field meta boxes if the user doesn't have the unfiltered HTML permissions.
+ *
+ * @param    string  $screen        The screen identifier.
+ * @param    string  $context       The screen context for which to display meta boxes.
+ * @param    boolean $data_object   Gets passed to the meta box callback function as the first parameter.
+ */
+function sec_remove_custom_fields( $screen, $context, $data_object ) {
+
+	if ( ! current_user_can( 'unfiltered_html' ) ) {
+
+		$options = get_option( 'artiss_code_embed' );
+
+		if ( '1' !== $options['meta_box'] ) {
+			remove_meta_box( 'postcustom', $screen, $context );
+		}
+	}
+}
+
+add_action( 'do_meta_boxes', 'sec_remove_custom_fields', 1, 3 );

includes/options-screen.php

@@ -44,6 +44,12 @@
 		$options['excerpt'] = '';
 	}
 
+	if ( isset( $_POST['code_embed_meta_box'] ) ) {
+		$options['meta_box'] = sanitize_text_field( wp_unslash( $_POST['code_embed_meta_box'] ) ); // Input var okay.
+	} else {
+		$options['meta_box'] = '';
+	}
+
 	update_option( 'artiss_code_embed', $options );
 
 	echo '<div class="updated fade"><p><strong>' . esc_html( __( 'Settings saved.', 'simple-embed-code' ) ) . "</strong></p></div>\n";
@@ -52,17 +58,32 @@
 // Fetch options into an array.
 
 $options = get_option( 'artiss_code_embed' );
+
+// Display a message box if the custom meta box removal has been overridden.
+
+if ( '1' === $options['meta_box'] ) {
+	echo '<div class="error fade"><p><strong>' . esc_html( __( 'Warning: You have custom post fields switched on for users who do not have the unfiltered HTML capability. This means that insecure code can be added. Please see the plugin README for more details.', 'simple-embed-code' ) ) . "</strong></p></div>\n";
+}
 ?>
 
 <form method="post" action="<?php echo esc_url( get_bloginfo( 'wpurl' ) ) . '/wp-admin/options-general.php?page=ce-options'; ?>">
 
 <table class="form-table">
+
 <tr>
 <th scope="row"><label for="code_embed_excerpt"><?php echo esc_html( ucwords( __( 'Allow in excerpts', 'simple-embed-code' ) ) ); ?></label></th>
 <td><input type="checkbox" name="code_embed_excerpt" value="1"
 <?php checked( '1', $options['excerpt'] ); ?>
 /><?php esc_html_e( 'Allow embedded code to be shown in excerpts', 'simple-embed-code' ); ?></td>
 </tr>
+
+<tr>
+<th scope="row"><label for="code_embed_meta_box"><?php echo esc_html( ucwords( __( 'Allow custom fields for all users', 'simple-embed-code' ) ) ); ?></label></th>
+<td><input type="checkbox" name="code_embed_meta_box" value="1"
+<?php checked( '1', $options['meta_box'] ); ?>
+/><?php esc_html_e( 'Allows custom meta boxes to be shown for all users, including those without unfiltered HTML permissions.', 'simple-embed-code' ); ?><p class="description"><?php esc_html_e( 'For security purposes, it is recommended that you do not select this option unless you have to. Please the plugin README for more details.' ); ?></p></td>
+</tr>
+
 </table>
 
 <?php echo '<h3>' . esc_html( ucwords( __( 'Identifier format', 'simple-embed-code' ) ) ) . '</h3>' . esc_html__( 'Specify the format that will be used to define the way the code is embedded in your post. The formats are case insensitive and characters &lt; &gt [ ] are invalid.', 'simple-embed-code' ); ?>

includes/shared.php

@@ -7,6 +7,12 @@
  * @package simple-embed-code
  */
 
+// Exit if accessed directly.
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
 /**
  * Add meta to plugin details
  *
@@ -62,33 +68,42 @@ function sec_action_links( $actions, $plugin_file ) {
 add_filter( 'plugin_action_links', 'sec_action_links', 10, 2 );
 
 /**
- * WordPress Fork Check
+ * WordPress Requirements Check
  *
- * Deactivate the plugin if an unsupported fork of WordPress is detected.
+ * Deactivate the plugin if certain requirements are not met.
  *
- * @version 1.0
+ * @version 1.1
  */
-function sec_fork_check() {
+function sec_requirements_check() {
+
+	$reason = '';
+
+	// Grab the plugin details.
+
+	$plugins = get_plugins();
+	$name    = $plugins[ CODE_EMBED_PLUGIN_BASE ]['Name'];
 
 	// Check for a fork.
 
 	if ( function_exists( 'calmpress_version' ) || function_exists( 'classicpress_version' ) ) {
 
-		// Grab the plugin details.
+		/* translators: 1: The plugin name. */
+		$reason .= '<li>' . sprintf( __( 'A fork of WordPress was detected. %1$s has not been tested on this fork and, as a consequence, the author will not provide any support.', 'simple-embed-code' ), $name ) . '</li>';
+
+	}
 
-		$plugins = get_plugins();
-		$name    = $plugins[ CODE_EMBED_PLUGIN_BASE ]['Name'];
+	// If a requirement is not met, output the message and stop the plugin.
+
+	if ( '' !== $reason ) {
 
 		// Deactivate this plugin.
 
-		deactivate_plugins( CODE_EMBED_PLUGIN_BASE );
+		deactivate_plugins( PLUGIN_NAME_PLUGIN_BASE );
 
 		// Set up a message and output it via wp_die.
 
 		/* translators: 1: The plugin name. */
-		$message = '<p><b>' . sprintf( __( '%1$s has been deactivated', 'simple-embed-code' ), $name ) . '</b></p><p>' . __( 'Reason:', 'simple-embed-code' ) . '</p>';
-		/* translators: 1: The plugin name. */
-		$message .= '<ul><li>' . __( 'A fork of WordPress was detected.', 'simple-embed-code' ) . '</li></ul><p>' . sprintf( __( 'The author of %1$s will not provide any support until the above are resolved.', 'simple-embed-code' ), $name ) . '</p>';
+		$message = '<p><b>' . sprintf( __( '%1$s has been deactivated', 'simple-embed-code' ), $name ) . '</b></p><p>' . __( 'Reason:', 'simple-embed-code' ) . '</p><ul>' . $reason . '</ul>';
 
 		$allowed = array(
 			'p'  => array(),
@@ -101,4 +116,4 @@ function sec_fork_check() {
 	}
 }
 
-add_action( 'admin_init', 'sec_fork_check' );
+add_action( 'admin_init', 'sec_requirements_check' );

readme.txt

@@ -3,9 +3,9 @@ Contributors: dartiss
 Donate link: https://artiss.blog/donate
 Tags: code, embed, html, css, javascript
 Requires at least: 4.6
-Tested up to: 6.5
+Tested up to: 6.6
 Requires PHP: 7.4
-Stable tag: 2.3.9
+Stable tag: 2.4
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -62,9 +62,11 @@ Check out the screenshots for how the custom fields should look.
 
 == I can't find the custom fields ==
 
-For block editor users, I'm assuming you've done the above. For classic editor users, the custom fields should be present by default. In all cases they should appear at the bottom of the editor screen.
+For block editor users, I'm assuming you've done the above. For classic editor users, the custom fields should be present by default. In all cases they should appear at the bottom of the editor screen.
+
+From version 2.4, anyone without the "unfiltered HTML" capability won't be able to see custom fields, for added security. Please see the section "Custom Field Security", below, for more details.
 
-If they're not present then you may have a theme or plugin that removes this or may have a problem with your WordPress installation - you will need to try the usual diagnostics to try and resolve this, including requesting help on [the WordPress support forum](https://wordpress.org/support/forum/how-to-and-troubleshooting/ "Fixing WordPress Forum").
+If none of the above applies then you may have a theme or plugin that removes this or may have a problem with your WordPress installation - you will need to try the usual diagnostics to try and resolve this, including requesting help on [the WordPress support forum](https://wordpress.org/support/forum/how-to-and-troubleshooting/ "Fixing WordPress Forum").
 
 Please bear in mind that the custom fields functionality is part of WordPress so it would be greatly appreciated if you don't give me poor reviews in this situation as, I say, this component is not part of this plugin but, by using it, keeps this plugin simple to use and bloat-free :)
 
@@ -142,7 +144,17 @@ If you don't wish the output to be full width you can specify a maximum width by
 
 == Embedding in excerpts ==
 
-By default embed code will not appear in excerpts. However, you can switch this ability on via the Code Embed options screen. If you do this then the standard rules of excerpts will still apply, but now once the code embed has applied - for example, excerpts are just text, a specific length, etc.
+By default embed code will not appear in excerpts. However, you can switch this ability on via the Code Embed options screen. If you do this then the standard rules of excerpts will still apply, but now once the code embed has applied - for example, excerpts are just text, a specific length, etc.
+
+== Custom Field Security ==
+
+By default, WordPress allows unfiltered HTML to be used by users in post custom fields, even if their role it set up otherwise. This opens up the possibility of leaving a site vulnerable, if any plugins that uses this data doesn't check it appropriately.
+
+"Out of the box", neither the contributor and author roles have unfiltered HTML capabilities but can access custom post fields.
+
+As this plugin requires the use unfiltered HTML, we need to ensure that the only users who use it, should be using it. From version 2.4, this plugin will now turn off custom fields for any users that don't have this capability. This will protect this plugin, but any others too. On the flip side, some users may now loose access to these fields who may still require it.
+
+For this reason, there is an option in the Code Embed settings screen to turn them back on for all users. Please use this ONLY if it really is needed. I would recommend looking at giving those users different, or modified roles, with the appropriate permissions instead of overridding it here. But the choice is yours.
 
 == Reviews & Mentions ==
 
@@ -152,8 +164,8 @@ By default embed code will not appear in excerpts. However, you can switch this
 
 [Embedding content](http://wsdblog.westbrook.k12.me.us/blog/2009/12/24/embedding-content/ "Embedding content") - WSD Blogging Server.
 
-[Animating images with PhotoPeach](http://comohago.conectandonos.gov.ar/2009/08/05/animando-imagenes-con-photopeach/ "Animando imágenes con PhotoPeach") - Cómo hago.
-
+[Animating images with PhotoPeach](http://comohago.conectandonos.gov.ar/2009/08/05/animando-imagenes-con-photopeach/ "Animando imágenes con PhotoPeach") - Cómo hago.
+
 == Installation ==
 
 Code Embed can be found and installed via the Plugin menu within WordPress administration (Plugins -> Add New). Alternatively, it can be downloaded from WordPress.org and installed manually...
@@ -195,8 +207,12 @@ It is, in that it doesn't save any data that could be odds with GDPR compliance
 
 I use semantic versioning, with the first release being 1.0.
 
+= 2.4 =
+* Enhancement: A vulnerability was raised to me but is actually an issue with Core. I've implemented a fix that protects not just this plugin but any others you may have installed. Please read the section in the README titled "Custom Field Security" for more details
+* Enhancement: Tweaked a few bits of code here. No visible changes, just quality improvements
+
 = 2.3.9 =
-* Enhancement: So, let me tell you a story. To make the output look neat, I was adding carriage returns to the embeds. Except, if you want to embed something part way through a line it can look... well... wrong. And all for it looking clean. Remember kids, cleanlyness isn't always next to Godlyness. Needless to say, those rogue carriage returns are gone
+* Enhancement: So, let me tell you a story. To make the output look neat, I was adding carriage returns to the embeds. Except, if you want to embed something part way through a line it can look... well... wrong. And all for it looking clean. Remember kids, cleanliness isn't always next to Godliness. Needless to say, those rogue carriage returns are gone
 * Enhancement: Whilst I was at it, I updated some of the settings code to a brand-spanking new version, which I'm sharing across all my plugins
 * Enhancement: Tidied up some of the assets, including adding a blueprint for WordPress Playground
 
@@ -332,5 +348,5 @@ versions of this plugin
 
 == Upgrade Notice ==
 
-= 2.3.9 =
-* Minor improvement to output to eliminate unwanted carriage returns
+= 2.4 =
+* Important security update

simple-code-embed.php

@@ -9,7 +9,7 @@
  * Plugin Name:       Code Embed
  * Plugin URI:        https://wordpress.org/plugins/simple-embed-code/
  * Description:       Code Embed provides a very easy and efficient way to embed code (JavaScript and HTML) in your posts and pages.
- * Version:           2.3.9
+ * Version:           2.4
  * Requires at least: 4.6
  * Requires PHP:      7.4
  * Author:            David Artiss
@@ -26,7 +26,7 @@
  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  */
 
-define( 'CODE_EMBED_VERSION', '2.3.9' );
+define( 'CODE_EMBED_VERSION', '2.4' );
 
 // Define global to hold the plugin base file name.
 
@@ -38,18 +38,14 @@
 
 $functions_dir = plugin_dir_path( __FILE__ ) . 'includes/';
 
-require_once $functions_dir . 'initialise.php';        // Initialisation scripts.
+require_once $functions_dir . 'initialise.php';    // Initialisation scripts.
 
-if ( is_admin() ) {
+require_once $functions_dir . 'add-scripts.php';   // Add scripts to the main theme.
 
-	require_once $functions_dir . 'shared.php';        // Functions shared across all my plugins.
+require_once $functions_dir . 'add-embeds.php';    // Filter to apply code embeds.
 
-	require_once $functions_dir . 'screens.php';       // Add settings and tools screens.
+require_once $functions_dir . 'shared.php';        // Functions shared across all my plugins.
 
-} else {
+require_once $functions_dir . 'screens.php';       // Add settings and tools screens.
 
-	require_once $functions_dir . 'add-scripts.php';   // Add scripts to the main theme.
-
-	require_once $functions_dir . 'add-embeds.php';    // Filter to apply code embeds.
-
-}
+require_once $functions_dir . 'meta-box.php';      // Suppress meta-boxes.