Merge pull request #73 from dartiss/develop

Develop

Author: dartiss

.DS_Store

@@ -141,7 +141,7 @@ function ce_quick_replace( $content = '', $options = '', $search = '' ) {
 		$end_pos = strpos( $content, $options['closing_ident'], $start_pos + 1 );
 
 		if ( false !== $end_pos ) {
-			$url  = substr( $content, $start_pos + $open_len, $end_pos - $start_pos - $close_len );
+			$url  = substr( $content, $start_pos + strlen( $options['opening_ident'] ), $end_pos - ( $start_pos + strlen( $options['opening_ident'] ) ) );
 			$file = ce_get_file( $url );
 			if ( false !== $file ) {
 				$content = str_replace( $options['opening_ident'] . $url . $options['closing_ident'], $file, $content );

assets/.DS_Store

@@ -44,12 +44,6 @@
 		$options['excerpt'] = '';
 	}
 
-	if ( isset( $_POST['code_embed_meta_box'] ) ) {
-		$options['meta_box'] = sanitize_text_field( wp_unslash( $_POST['code_embed_meta_box'] ) ); // Input var okay.
-	} else {
-		$options['meta_box'] = '';
-	}
-
 	update_option( 'artiss_code_embed', $options );
 
 	echo '<div class="updated fade"><p><strong>' . esc_html( __( 'Settings saved.', 'simple-embed-code' ) ) . "</strong></p></div>\n";
@@ -58,12 +52,6 @@
 // Fetch options into an array.
 
 $options = get_option( 'artiss_code_embed' );
-
-// Display a message box if the custom meta box removal has been overridden.
-
-if ( '1' === $options['meta_box'] ) {
-	echo '<div class="error fade"><p><strong>' . esc_html( __( 'Warning: You have custom post fields switched on for users who do not have the unfiltered HTML capability. This means that insecure code can be added. Please see the plugin README for more details.', 'simple-embed-code' ) ) . "</strong></p></div>\n";
-}
 ?>
 
 <form method="post" action="<?php echo esc_url( get_bloginfo( 'wpurl' ) ) . '/wp-admin/options-general.php?page=ce-options'; ?>">
@@ -77,13 +65,6 @@
 /><?php esc_html_e( 'Allow embedded code to be shown in excerpts', 'simple-embed-code' ); ?></td>
 </tr>
 
-<tr>
-<th scope="row"><label for="code_embed_meta_box"><?php echo esc_html( ucwords( __( 'Allow custom fields for all users', 'simple-embed-code' ) ) ); ?></label></th>
-<td><input type="checkbox" name="code_embed_meta_box" value="1"
-<?php checked( '1', $options['meta_box'] ); ?>
-/><?php esc_html_e( 'Allows custom meta boxes to be shown for all users, including those without unfiltered HTML permissions.', 'simple-embed-code' ); ?><p class="description"><?php esc_html_e( 'For security purposes, it is recommended that you do not select this option unless you have to. Please the plugin README for more details.' ); ?></p></td>
-</tr>
-
 </table>
 
 <?php echo '<h3>' . esc_html( ucwords( __( 'Identifier format', 'simple-embed-code' ) ) ) . '</h3>' . esc_html__( 'Specify the format that will be used to define the way the code is embedded in your post. The formats are case insensitive and characters &lt; &gt [ ] are invalid.', 'simple-embed-code' ); ?>

includes/add-embeds.php

@@ -0,0 +1,55 @@
+<?php
+/**
+ * Meta boxes
+ *
+ * Functions related to meta-box management.
+ *
+ * @package simple-embed-code
+ */
+
+// Exit if accessed directly.
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+/**
+ * Remove Custom Fields
+ *
+ * Remove the custom field meta boxes if the user doesn't have the unfiltered HTML permissions.
+ *
+ * @param    string  $post_id   Post ID.
+ * @param    string  $post      Post object.
+ * @param    boolean $update    Whether this is an existing post being updated.
+ */
+function sec_check_post_fields( $post_id, $post, $update ) {
+
+	$options = get_option( 'artiss_code_embed' );
+
+	// Check if it's an autosave or if the current user has the 'unfiltered_html' capability.
+	if ( ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) || ( current_user_can( 'unfiltered_html' ) ) ) {
+		return;
+	}
+
+	// Fetch all post meta (custom fields) associated with the post.
+	$custom_fields = get_post_meta( $post_id );
+
+	// If there are custom fields, read through them.
+	if ( ! empty( $custom_fields ) ) {
+
+		foreach ( $custom_fields as $key => $value ) {
+
+			// Check to see if any begining with this plugin's prefix.
+			if ( substr( $key, 0, strlen( $options['keyword_ident'] ) ) === $options['keyword_ident'] ) {
+
+				// Filter the meta value.
+				$new_value = wp_kses_post( $value[0] );
+
+				// Now write out the new value.
+				update_post_meta( $post_id, $key, $new_value );
+			}
+		}
+	}
+}
+
+add_action( 'save_post', 'sec_check_post_fields', 10, 3 );

includes/meta-box.php

@@ -5,7 +5,7 @@ Tags: code, embed, html, css, javascript
 Requires at least: 4.6
 Tested up to: 6.6
 Requires PHP: 7.4
-Stable tag: 2.4
+Stable tag: 2.5
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -146,15 +146,13 @@ If you don't wish the output to be full width you can specify a maximum width by
 
 By default embed code will not appear in excerpts. However, you can switch this ability on via the Code Embed options screen. If you do this then the standard rules of excerpts will still apply, but now once the code embed has applied - for example, excerpts are just text, a specific length, etc.
 
-== Custom Field Security ==
+== Filtering of code ==
 
 By default, WordPress allows unfiltered HTML to be used by users in post custom fields, even if their role it set up otherwise. This opens up the possibility of leaving a site vulnerable, if any plugins that uses this data doesn't check it appropriately.
 
 "Out of the box", neither the contributor and author roles have unfiltered HTML capabilities but can access custom post fields.
 
-As this plugin requires the use unfiltered HTML, we need to ensure that the only users who use it, should be using it. From version 2.4, this plugin will now turn off custom fields for any users that don't have this capability. This will protect this plugin, but any others too. On the flip side, some users may now loose access to these fields who may still require it.
-
-For this reason, there is an option in the Code Embed settings screen to turn them back on for all users. Please use this ONLY if it really is needed. I would recommend looking at giving those users different, or modified roles, with the appropriate permissions instead of overridding it here. But the choice is yours.
+As this plugin requires the use unfiltered HTML, we need to ensure that the only users who use it, should be using it. From version 2.5, any users without this permission that update a post containing embeds from this plugin will cause the code to be filtered.
 
 == Reviews & Mentions ==
 
@@ -179,9 +177,11 @@ Voila! It's ready to go.
 
 = My code doesn't work =
 
-If your code contains the characters `]]>` then you'll find that it doesn't - WordPress modifies this itself.
+If your code contains the characters `]]>` then you'll find that it doesn't - WordPress modifies this itself.
+
+Also, check to see if the post has been modified by a user without `unfiltered_html` permissions - if it was, they may have caused the code to have been modified (see the "Filtering of code" section above).
 
-Otherwise, it's likely to be your code and not this plugin. The best way to confirm this is to look at the source of the page and compare the code output with what you embedded. Does it match? If it does, then your code is at fault.
+Otherwise, it's likely to be your code and not this plugin. The best way to confirm this is to look at the source of the page and compare the code output with what you embedded. Does it match? If it does, then your code is at fault.
 
 = What's the maximum size of the embed code that I can save in a custom field? =
 
@@ -207,6 +207,10 @@ It is, in that it doesn't save any data that could be odds with GDPR compliance
 
 I use semantic versioning, with the first release being 1.0.
 
+= 2.5 =
+* Enhancement: This release is a revised version of 2.4, with less impact to other plugins and users. See the README for more details, but this undoes the changes in 2.4 and adds in filtering of code embed fields for users without the correct permissions.
+* Bug: Fixed a long time bug that could cause an infinite loop to occur in rare situations
+
 = 2.4 =
 * Enhancement: A vulnerability was raised to me but is actually an issue with Core. I've implemented a fix that protects not just this plugin but any others you may have installed. Please read the section in the README titled "Custom Field Security" for more details
 * Enhancement: Tweaked a few bits of code here. No visible changes, just quality improvements
@@ -348,5 +352,5 @@ versions of this plugin
 
 == Upgrade Notice ==
 
-= 2.4 =
+= 2.5 =
 * Important security update

includes/options-screen.php

@@ -9,7 +9,7 @@
  * Plugin Name:       Code Embed
  * Plugin URI:        https://wordpress.org/plugins/simple-embed-code/
  * Description:       Code Embed provides a very easy and efficient way to embed code (JavaScript and HTML) in your posts and pages.
- * Version:           2.4
+ * Version:           2.5
  * Requires at least: 4.6
  * Requires PHP:      7.4
  * Author:            David Artiss
@@ -26,7 +26,7 @@
  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  */
 
-define( 'CODE_EMBED_VERSION', '2.4' );
+define( 'CODE_EMBED_VERSION', '2.5' );
 
 // Define global to hold the plugin base file name.
 
@@ -48,4 +48,4 @@
 
 require_once $functions_dir . 'screens.php';       // Add settings and tools screens.
 
-require_once $functions_dir . 'meta-box.php';      // Suppress meta-boxes.
+require_once $functions_dir . 'secure.php';        // Security functionality.