Merge branch 'release-0.8.1' into releases

archetyped · Mar 1, 2024 · fadf47a · fadf47a
2 parents 76914ca + ce464f3
commit fadf47a
Show file tree

Hide file tree

Showing 8 changed files with 29 additions and 19 deletions.
diff --git a/includes/class.content_base.php b/includes/class.content_base.php
@@ -75,7 +75,7 @@ class CNR_Content_Base extends CNR_Base {
 	 */
 	function __construct($id = '', $parent = null) {
 		parent::__construct();
-		$id = trim($id);
+		$id = sanitize_key($id);
 		$this->id = $id;
 		if ( is_bool($parent) && $parent )
 			$parent = $id;

diff --git a/includes/class.content_utilities.php b/includes/class.content_utilities.php
@@ -604,7 +604,7 @@ function admin_manage_query($type = 'post') {
 		$q['m']   = isset($g['m']) ? (int) $g['m'] : 0;
 		//Category
 		$q['cat'] = isset($g['cat']) ? (int) $g['cat'] : 0;
-		$post_stati  = array(	//	array( adj, noun )
+		$post_stati  = array(
 					'publish' => array(_x('Published', 'post'), __('Published posts'), _n_noop('Published <span class="count">(%s)</span>', 'Published <span class="count">(%s)</span>')),
 					'future' => array(_x('Scheduled', 'post'), __('Scheduled posts'), _n_noop('Scheduled <span class="count">(%s)</span>', 'Scheduled <span class="count">(%s)</span>')),
 					'pending' => array(_x('Pending Review', 'post'), __('Pending posts'), _n_noop('Pending Review <span class="count">(%s)</span>', 'Pending Review <span class="count">(%s)</span>')),
@@ -645,7 +645,7 @@ function admin_manage_query($type = 'post') {
 			$q['paged'] = (int) $g['paged'];
 		$q['posts_per_page'] = apply_filters( 'edit_posts_per_page', $posts_per_page );
 		//Search
-		$q[s] = ( isset($g['s']) ) ? $g[s] : '';
+		$q['s'] = ( isset($g['s']) ) ? $g['s'] : '';
 		$wp_query->query($q);
 
 		return array($post_stati, $avail_post_stati);
@@ -729,6 +729,7 @@ function admin_page_manage($type, $action) {
 		$user_posts = false;
 		if ( !current_user_can('edit_others_posts') ) {
 			$user_posts_count = $wpdb->get_var( $wpdb->prepare("SELECT COUNT(1) FROM $wpdb->posts p JOIN $wpdb->postmeta m ON m.post_id = p.id WHERE m.meta_key = '_cnr_post_type' AND m.meta_value = %s AND p.post_status != 'trash' AND p.post_author = %d", $type->get_meta_value(), $current_user->ID) );
+			$user_posts_count = intval( $user_posts_count );
 			$user_posts = true;
 			if ( $user_posts_count && empty($_GET['post_status']) && empty($_GET['all_posts']) && empty($_GET['author']) )
 				$_GET['author'] = $current_user->ID;
@@ -738,7 +739,7 @@ function admin_page_manage($type, $action) {
 		?>
 		<div class="wrap">
 		<?php screen_icon('edit'); ?>
-		<h2><?php echo esc_html( $title ); ?> <a href="<?php echo $add_url; ?>" class="button add-new-h2"><?php echo esc_html_x('Add New', 'post'); ?></a> <?php
+		<h2><?php echo esc_html( $title ); ?> <a href="<?php echo sanitize_url( $add_url ); ?>" class="button add-new-h2"><?php echo esc_html_x('Add New', 'post'); ?></a> <?php
 		if ( isset($_GET['s']) && $_GET['s'] )
 			printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( get_search_query() ) ); ?>
 		</h2>
@@ -755,7 +756,7 @@ function admin_page_manage($type, $action) {
 			$num_posts = $this->count_posts($type, 'readable');
 			$class = '';
 			$allposts = '';
-			$curr_page = $_SERVER['PHP_SELF'] . '?page=' . $_GET['page'];
+			$curr_page = sanitize_url( $_SERVER['PHP_SELF'] . '?page=' . $_GET['page'] );
 			if ( $user_posts ) {
 				if ( isset( $_GET['author'] ) && ( $_GET['author'] == $current_user->ID ) )
 					$class = ' class="current"';

diff --git a/includes/class.feeds.php b/includes/class.feeds.php
@@ -197,7 +197,7 @@ function get_links() {
 		$title = ( !empty($links) ) ? __('Subscribe to All updates') : __('Subscribe to Updates');
 		$links[get_feed_link()] = $title;
 		foreach ($links as $href => $title) {
-			$text[] = sprintf($link_template, $href, $title, esc_attr($title));
+			$text[] = sprintf( $link_template, esc_attr( $href ), $title, esc_attr( $title ) );
 		}
 		$text = implode(' or ', $text);
 		return $text;

diff --git a/includes/class.media.php b/includes/class.media.php
@@ -186,13 +186,16 @@ function field_upload_media() {
 			//Get Attachment ID
 			$field_var = $this->add_prefix('field');
 			$args = new stdClass();
-			$args->id = array_shift( array_keys($_POST['setmedia']) );
+			$keys = array_keys($_POST['setmedia']);
+			$args->id = esc_attr( array_shift($keys) );
+			unset($keys);
 			$args->field = '';
 			if ( isset($_REQUEST['attachments'][$args->id][$this->var_field]) )
 				$args->field = $_REQUEST['attachments'][$args->id][$this->var_field];
 			elseif ( isset($_REQUEST[$this->var_field]) )
 				$args->field = $_REQUEST[$this->var_field];
-			$a =& get_post($args->id);
+			$args->field = esc_attr( $args->field );
+			$a = get_post($args->id);
 			if ( ! empty($a) ) {
 				$args->url = wp_get_attachment_url($a->ID);
 				$args->type = get_post_mime_type($a->ID);
@@ -220,7 +223,7 @@ function field_upload_media() {
 		//Display default UI
 
 		//Determine media type
-		$type = ( isset($_REQUEST['type']) ) ? $_REQUEST['type'] : 'cnr_field_media';
+		$type = ( isset($_REQUEST['type']) ) ? esc_attr( $_REQUEST['type'] ) : 'cnr_field_media';
 		//Determine UI to use (disk or URL upload)
 		$upload_form = ( isset($_GET['tab']) && 'type_url' == $_GET['tab'] ) ? 'media_upload_type_url_form' : 'media_upload_type_form';
 		//Load UI
@@ -242,7 +245,7 @@ function field_upload_media() {
 	function attachment_fields_to_edit($form_fields, $attachment) {
 
 		if ( $this->is_custom_media() ) {
-			$post =& get_post($attachment);
+			$post = get_post($attachment);
 			//Clear all form fields
 			$form_fields = array();
 			//TODO Display custom buttons based on mime type defined in content type's field
@@ -263,7 +266,7 @@ function attachment_fields_to_edit($form_fields, $attachment) {
 			$field = array(
 							'label'		=> '',
 							'input'		=> 'html',
-							'html'		=> '<input type="submit" class="button" value="' . $set_as . '" name="setmedia[' . $post->ID . ']" />'
+							'html'		=> '<input type="submit" class="button" value="' . esc_attr( $set_as ) . '" name="setmedia[' . $post->ID . ']" />'
 							);
 			$form_fields['buttons'] = $field;
 			//Add field ID value as hidden field (if set)
@@ -284,7 +287,7 @@ function attachment_fields_to_edit($form_fields, $attachment) {
 	 * @return bool TRUE if item is media, FALSE otherwise
 	 */
 	function is_media($media) {
-		$media =& get_post($media);
+		$media = get_post($media);
 		return ( ! empty($media) && 'attachment' == $media->post_type );	
 	}
 
@@ -317,7 +320,7 @@ function attachment_html_upload_ui() {
 		$vars = array ($this->var_action, $this->var_field);
 		foreach ( $vars as $var ) {
 			if ( isset($_REQUEST[$var]) )
-				echo '<input type="hidden" name="' . $var . '" id="' . $var . '" value="' . esc_attr($_REQUEST[$var]) . '" />';
+				echo '<input type="hidden" name="' . esc_attr( $var ) . '" id="' . esc_attr( $var ) . '" value="' . esc_attr( $_REQUEST[$var] ) . '" />';
 		}
 	}
 
@@ -495,7 +498,7 @@ function the_attachment_filesize($post = null, $formatted = true) {
 	 */
 	function get_media_output($media, $type = 'url', $attr = array()) {
 		$ret = '';
-		$media =& get_post($media);
+		$media = get_post($media);
 		//Continue processing valid media items
 		if ( $this->is_media($media) ) {
 			//URL - Same for all attachments
@@ -536,7 +539,7 @@ function get_media_html($media) {
 
 	function get_link($media, $attr = array()) {
 		$ret = '';
-		$media =& get_post($media);
+		$media = get_post($media);
 		if ( $this->is_media($media) ) {
 			$attr['href'] = wp_get_attachment_url($media->ID);
 			$text = ( isset($attr['text']) ) ? $attr['text'] : basename($attr['href']);

diff --git a/includes/class.utilities.php b/includes/class.utilities.php
@@ -1199,7 +1199,7 @@ function build_attribute_string($attr) {
 		if ( is_object($attr) )
 			$attr = (array) $attr;
 		if ( is_array($attr) ) {
-			array_map('esc_attr', $attr);
+			$attr = array_map('esc_attr', $attr);
 			$attr_str = array();
 			foreach ( $attr as $key => $val ) {
 				$attr_str[] = $key . '="' . $val . '"';

diff --git a/main.php b/main.php
@@ -9,7 +9,7 @@
  * Plugin Name: Cornerstone
  * Plugin URI: http://archetyped.com/tools/cornerstone/
  * Description: Enhanced content management for WordPress
- * Version: 0.8.0
+ * Version: 0.8.1
  * Requires at least: 5.3
  * Text Domain: cornerstone
  * Author: Archetyped

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cornerstone",
-  "version": "0.8.0",
+  "version": "0.8.1",
   "title": "Cornerstone",
   "description": "Enhanced content management for WordPress",
   "author": "Archetyped <[email protected]>",

diff --git a/readme.txt b/readme.txt
@@ -4,7 +4,7 @@ Donate: https://gum.co/cnr-donate
 Tags: cornerstone, cms, content, management, system, structure, organization, sections
 Plugin Link: http://archetyped.com/tools/cornerstone/
 Requires at least: 5.3
-Tested up to: 6.0
+Tested up to: 6.4
 Stable tag: trunk
 
 Enhanced content management for WordPress
@@ -60,6 +60,12 @@ Post your questions/comments at [Cornerstone's official issue tracker](https://g
 
 == Changelog ==
 
+= 0.8.1 =
+
+* Optimize: Confirm WordPress 6.4 Compatibility
+* Optimize: Data validation/formatting
+* Optimize: Internal code cleanup
+
 = 0.8.0 =
 
 * Update: Custom permalink structure option integration for WordPress 6.1+.